[Samba] Exporting keytab for SPN failure
Michael A Weber
mweber.subscriptions01 at gmail.com
Wed Sep 14 17:53:02 UTC 2016
> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba <samba at lists.samba.org> wrote:
> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>> Question though, just for my curiosity:
>> The encryption algorithms specified after each SPN: I see that aes-256 is listed when I export the user, but not the SPN. Are those expected, or have I done something wrong and used incorrect algorithms somewhere? I recall reading that DES is not secure enough and that AES-256 (I think I read this during TLS enablement) is what should be used.
> I get the same behaviour here. If i do nout use the FQDN and only the hostname without the domain part the aes keys are included. In your case --principal HTTP/intranet.
So, now I’m a little more confused. I’ve added the SPN to the user without the realm part, which succeeds. I listed it to verify, and it’s there (sanitized here):
samba-tool spn list web-intranet-macmini
User CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld has the following servicePrincipalName:
Then, if I go to export the keytab as you have indicated above with —principal=HTTP/intranet it errors:
samba-tool domain exportkeytab ~/intranet-macmini.keytab --principal=HTTP/intranet
ERROR(runtime): uncaught exception - Key table entry not found
File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 129, in run
Should that command work? Or, was that for demonstration/explanation purposes only? I’m assuming it worked for you since you referenced my specific case.
I feel I’m missing something.
> The encryption methods used can be controlled with net ads enctypes.
> If i run (after kinit Administrator)
> net ads enctypes list dc1$
> i get
> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
> [X] 0x00000001 DES-CBC-CRC
> [X] 0x00000002 DES-CBC-MD5
> [X] 0x00000004 RC4-HMAC
> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
I get this as well.
> If i use
> net ads enctypes list dc1.domain.local$
> i get
> no account found with filter: (&(objectclass=user)(sAMAccountName=dc1.domain.local$))
Again, I get this as well.
> Seems "samba-tool domain exportkeytab" uses an similar algorythm and therefore does not find the account and uses des and arcfour keys per default.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba