[Samba] Exporting keytab for SPN failure

Achim Gottinger achim at ag-web.biz
Wed Sep 14 18:10:37 UTC 2016 


Am 14.09.2016 um 19:53 schrieb Michael A Weber:
>
>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba 
>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>
>>
>>
>> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>>> Question though, just for my curiosity:
>>>
>>> The encryption algorithms specified after each SPN:  I see that 
>>> aes-256 is listed when I export the user, but not the SPN.  Are 
>>> those expected, or have I done something wrong and used incorrect 
>>> algorithms somewhere?  I recall reading that DES is not secure 
>>> enough and that AES-256 (I think I read this during TLS enablement) 
>>> is what should be used.
>> I get the same behaviour here. If i do nout use the FQDN and only the 
>> hostname without the domain part the aes keys are included. In your 
>> case --principal HTTP/intranet.
>
> So, now I’m a little more confused.  I’ve added the SPN to the user 
> without the realm part, which succeeds.  I listed it to verify, and 
> it’s there (sanitized here):
>
> samba-tool spn list web-intranet-macmini
> web-intranet-macmini
> User CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld has 
> the following servicePrincipalName:
> HTTP/intranet.domain2.domain1.tld
>
> Then, if I go to export the keytab as you have indicated above with 
> —principal=HTTP/intranet it errors:
>
> samba-tool domain exportkeytab ~/intranet-macmini.keytab 
> --principal=HTTP/intranet
> ERROR(runtime): uncaught exception - Key table entry not found
> File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>   return self.run(*args, **kwargs)
> File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 
> 129, in run
>   net.export_keytab(keytab=keytab, principal=principal)
>
> Should that command work?  Or, was that for demonstration/explanation 
> purposes only?  I’m assuming it worked for you since you referenced my 
> specific case.
>
> I feel I’m missing something.
>
>>
>> The encryption methods used can be controlled with net ads enctypes.
>>
>> If i run (after kinit Administrator)
>> net ads enctypes list dc1$
>> i get
>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
>> [X] 0x00000001 DES-CBC-CRC
>> [X] 0x00000002 DES-CBC-MD5
>> [X] 0x00000004 RC4-HMAC
>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>
>
> I get this as well.
>
>> If i use
>> net ads enctypes list dc1.domain.local$
>> i get
>> no account found with filter: 
>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$))
>>
>
> Again, I get this as well.
>
>> Seems "samba-tool domain exportkeytab" uses an similar algorythm and 
>> therefore does not find the account and uses des and arcfour keys per 
>> default.
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
> Mike
Try this
net ads enctypes set web-intranet-macmini 31

Afterwards "domain export" will export also aes keys for the SPN's.

More information about the samba mailing list