[Samba] Exporting keytab for SPN failure

Michael A Weber mweber.subscriptions01 at gmail.com
Wed Sep 14 17:53:02 UTC 2016

> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba <samba at lists.samba.org> wrote:
> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>> Question though, just for my curiosity:
>> The encryption algorithms specified after each SPN:  I see that aes-256 is listed when I export the user, but not the SPN.  Are those expected, or have I done something wrong and used incorrect algorithms somewhere?  I recall reading that DES is not secure enough and that AES-256 (I think I read this during TLS enablement) is what should be used.
> I get the same behaviour here. If i do nout use the FQDN and only the hostname without the domain part the aes keys are included. In your case --principal HTTP/intranet.

So, now I’m a little more confused.  I’ve added the SPN to the user without the realm part, which succeeds.  I listed it to verify, and it’s there (sanitized here):

samba-tool spn list web-intranet-macmini
User CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld has the following servicePrincipalName: 

Then, if I go to export the keytab as you have indicated above with —principal=HTTP/intranet it errors:

samba-tool domain exportkeytab ~/intranet-macmini.keytab --principal=HTTP/intranet
ERROR(runtime): uncaught exception - Key table entry not found
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 129, in run
    net.export_keytab(keytab=keytab, principal=principal)

Should that command work?  Or, was that for demonstration/explanation purposes only?  I’m assuming it worked for you since you referenced my specific case.

I feel I’m missing something.

> The encryption methods used can be controlled with net ads enctypes.
> If i run (after kinit Administrator)
> net ads enctypes list dc1$
> i get
> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
> [X] 0x00000001 DES-CBC-CRC
> [X] 0x00000002 DES-CBC-MD5
> [X] 0x00000004 RC4-HMAC
> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96

I get this as well.

> If i use
> net ads enctypes list dc1.domain.local$
> i get
> no account found with filter: (&(objectclass=user)(sAMAccountName=dc1.domain.local$))

Again, I get this as well.

> Seems "samba-tool domain exportkeytab" uses an similar algorythm and therefore does not find the account and uses des and arcfour keys per default.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list