[Samba] Exporting keytab for SPN failure

Achim Gottinger achim at ag-web.biz
Wed Sep 14 17:57:26 UTC 2016 


Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>
>> On Sep 14, 2016, at 10:44 AM, Achim Gottinger via samba 
>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>
>>
>>
>> Am 14.09.2016 um 05:53 schrieb Michael A Weber via samba:
>>> Experts—
>>>
>>> I’m attempting to export a keytab for a created SPN on the AD DC 
>>> machine but I’m receiving an error:
>>>
>>> ERROR(runtime): uncaught exception - Key table entry not found
>>>   File 
>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 
>>> 175, in _run
>>>     return self.run(*args, **kwargs)
>>>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", 
>>> line 129, in run
>>>     net.export_keytab(keytab=keytab, principal=principal)
>>>
>>> Steps taken to recreate:
>>>
>>> 1.  Create a user for the SPN
>>>
>>> samba-tool user create web-intranet-macmini
>>> <provided password when prompted>
>>>
>>> 2.  Add the SPN:
>>>
>>> samba-tool spn add 
>>> HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD 
>>> <mailto:HTTP/hostname.domain2.domain1.tld at domain2.domain1.tld> 
>>> web-intranet-macmini
>>> <succeeded without error>
>>>
>>> 3.  Export the keytab file to be used on the intranet host:
>>>
>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab 
>>> —principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD 
>>> <mailto:principal=HTTP/hostname.domain2.domain1.tld at domain2.domain1.tld>
>>>
>>> <Get the error listed above>
>>>
>>> Now, I tried adding another SPN without the realm, and exporting 
>>> without the realm, and I did not receive an error.
>>>
>>> I then deleted both SPNs via samba-tool spn delete, recreated the 
>>> SPN using the realm just to make sure I’m not completely crazy and 
>>> didn’t fat finger anything (and to make sure my contact lenses are 
>>> making me see what I think I’m seeing) and I still get the error.
>>>
>>> When I do samba-tool spn list web-intranet-macmini, I see the SPN(s) 
>>> associated with that user, and they are correct.
>>>
>>> Is there something glaringly obvious I’m missing?
>>>
>>> Mike
>> Last time i created an SPN it was not neccessary to add the realm 
>> part when creating the realm. It should be added automatically adn 
>> you can verify it with
>> klist -Kek [your keytabfile]
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
> I did previously create an SPN without the realm, but the SPN 
> attribute on the user also did not contain the realm.  Then, I deleted 
> the SPN and re-created it with the realm.
>
> Achim, I just tested your recommendation and verified with the klist 
> command above, and they do look correct (sanitized below, of course):
>
> Keytab name: FILE:/root/intranet-macmini.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
> 1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD 
> <mailto:HTTP/intranet.domain2.domain1.tld at domain2.domain1.tld> (des-cbc-crc)
> 1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD 
> <mailto:domain2.domain1.tld at domain2.domain1.tld> (des-cbc-md5)
> 1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD 
> <mailto:domain2.domain1.tld at domain2.domain1.tld> (arcfour-hmac)
>
>
>
>> On Sep 14, 2016, at 1:38 AM, Rowland Penny via samba 
>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>
>> Yes, the principal isn't the SPN when you try to export the keytab, it
>> is the user.
>>
>> Rowland
>>
>
>
> Rowland, when I use your method of specifying the principal as the 
> user and not the SPN, I get what I would think for Apache would be a 
> completely incorrect keytab as verified by the klist -Kek command:
>
> Keytab name: FILE:/root/intranet-macmini.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
> 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD 
> <mailto:web-intranet-macmini at domain2.domain1.tld> (des-cbc-crc)
> 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD 
> <mailto:web-intranet-macmini at domain2.domain1.tld> (des-cbc-md5)
> 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD 
> <mailto:web-intranet-macmini at domain2.domain1.tld> (aes128-cts-hmac-sha1-96)
> 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD 
> <mailto:web-intranet-macmini at domain2.domain1.tld> (aes256-cts-hmac-sha1-96)
> 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD 
> <mailto:web-intranet-macmini at domain2.domain1.tld> (arcfour-hmac)
>
>
> Experts--
>
> So, which method is the correct way to export a keytab for an SPN for, 
> say, Apache?
>
> Question though, just for my curiosity:
>
> The encryption algorithms specified after each SPN:  I see that 
> aes-256 is listed when I export the user, but not the SPN.  Are those 
> expected, or have I done something wrong and used incorrect algorithms 
> somewhere?  I recall reading that DES is not secure enough and that 
> AES-256 (I think I read this during TLS enablement) is what should be 
> used.
>
> Mike
You can use ktutil to add the aes keys manual. You can not use an random 
password for the user account with this.

#ktutil
ktutil: rkt [keytabfile]
ktutil: addent -password -p 
HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD 
<mailto:domain2.domain1.tld at domain2.domain1.tld> -k 1 -e 
aes256-cts-hmac-sha1-96
ktutil: [enter the password used for web-intranet-macmini]
ktutil: wkt [keytabfile]
ktutil: q

I have not tested this but it should work used an similar approach with 
samba 4.0 for imap and smtp principals.

More information about the samba mailing list