[Samba] Exporting keytab for SPN failure

Michael A Weber mweber.subscriptions01 at gmail.com
Wed Sep 14 18:21:16 UTC 2016 

> On Sep 14, 2016, at 12:57 PM, Achim Gottinger <achim at ag-web.biz> wrote:
> 
> 
> 
> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>> 
>>> On Sep 14, 2016, at 10:44 AM, Achim Gottinger via samba <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>> 
>>> 
>>> 
>>> Am 14.09.2016 um 05:53 schrieb Michael A Weber via samba:
>>>> Experts—
>>>> 
>>>> I’m attempting to export a keytab for a created SPN on the AD DC machine but I’m receiving an error:
>>>> 
>>>> ERROR(runtime): uncaught exception - Key table entry not found
>>>>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
>>>>     return self.run(*args, **kwargs)
>>>>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 129, in run
>>>>     net.export_keytab(keytab=keytab, principal=principal)
>>>> 
>>>> Steps taken to recreate:
>>>> 
>>>> 1.  Create a user for the SPN
>>>> 
>>>> samba-tool user create web-intranet-macmini
>>>> <provided password when prompted>
>>>> 
>>>> 2.  Add the SPN:
>>>> 
>>>> samba-tool spn add HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD <mailto:HTTP/hostname.domain2.domain1.tld at domain2.domain1.tld> web-intranet-macmini
>>>> <succeeded without error>
>>>> 
>>>> 3.  Export the keytab file to be used on the intranet host:
>>>> 
>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab —principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD <mailto:principal=HTTP/hostname.domain2.domain1.tld at domain2.domain1.tld>
>>>> 
>>>> <Get the error listed above>
>>>> 
>>>> Now, I tried adding another SPN without the realm, and exporting without the realm, and I did not receive an error.
>>>> 
>>>> I then deleted both SPNs via samba-tool spn delete, recreated the SPN using the realm just to make sure I’m not completely crazy and didn’t fat finger anything (and to make sure my contact lenses are making me see what I think I’m seeing) and I still get the error.
>>>> 
>>>> When I do samba-tool spn list web-intranet-macmini, I see the SPN(s) associated with that user, and they are correct.
>>>> 
>>>> Is there something glaringly obvious I’m missing?
>>>> 
>>>> Mike
>>> Last time i created an SPN it was not neccessary to add the realm part when creating the realm. It should be added automatically adn you can verify it with
>>> klist -Kek [your keytabfile]
>>> 
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
>> 
>> I did previously create an SPN without the realm, but the SPN attribute on the user also did not contain the realm.  Then, I deleted the SPN and re-created it with the realm.
>> 
>> Achim, I just tested your recommendation and verified with the klist command above, and they do look correct (sanitized below, of course):
>> 
>> Keytab name: FILE:/root/intranet-macmini.keytab <file:///root/intranet-macmini.keytab>
>> KVNO Principal
>> ---- --------------------------------------------------------------------------
>>    1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD <mailto:HTTP/intranet.domain2.domain1.tld at domain2.domain1.tld> (des-cbc-crc)
>>    1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD <mailto:domain2.domain1.tld at domain2.domain1.tld> (des-cbc-md5)
>>    1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD <mailto:domain2.domain1.tld at domain2.domain1.tld> (arcfour-hmac)
>> 
>> 
>> 
>>> On Sep 14, 2016, at 1:38 AM, Rowland Penny via samba <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>> 
>>> Yes, the principal isn't the SPN when you try to export the keytab, it
>>> is the user.
>>> 
>>> Rowland
>>> 
>> 
>> 
>> 
>> Rowland, when I use your method of specifying the principal as the user and not the SPN, I get what I would think for Apache would be a completely incorrect keytab as verified by the klist -Kek command:
>> 
>> Keytab name: FILE:/root/intranet-macmini.keytab <file:///root/intranet-macmini.keytab>
>> KVNO Principal
>> ---- --------------------------------------------------------------------------
>>    1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD <mailto:web-intranet-macmini at domain2.domain1.tld> (des-cbc-crc)
>>    1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD <mailto:web-intranet-macmini at domain2.domain1.tld> (des-cbc-md5)
>>    1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD <mailto:web-intranet-macmini at domain2.domain1.tld> (aes128-cts-hmac-sha1-96)
>>    1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD <mailto:web-intranet-macmini at domain2.domain1.tld> (aes256-cts-hmac-sha1-96)
>>    1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD <mailto:web-intranet-macmini at domain2.domain1.tld> (arcfour-hmac)
>> 
>> 
>> Experts--
>> 
>> So, which method is the correct way to export a keytab for an SPN for, say, Apache?
>> 
>> Question though, just for my curiosity:
>> 
>> The encryption algorithms specified after each SPN:  I see that aes-256 is listed when I export the user, but not the SPN.  Are those expected, or have I done something wrong and used incorrect algorithms somewhere?  I recall reading that DES is not secure enough and that AES-256 (I think I read this during TLS enablement) is what should be used.
>> 
>> Mike
> You can use ktutil to add the aes keys manual. You can not use an random password for the user account with this.
> 
> #ktutil
> ktutil: rkt [keytabfile]
> ktutil: addent -password -p HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD <mailto:domain2.domain1.tld at domain2.domain1.tld> -k 1 -e aes256-cts-hmac-sha1-96
> ktutil: [enter the password used for web-intranet-macmini]
> ktutil: wkt [keytabfile]
> ktutil: q
> 
> I have not tested this but it should work used an similar approach with samba 4.0 for imap and smtp principals.

I just did this, and I confirm, it did work.  Fortunately for me, I don’t use random password for the user account, but rather a password generator and an encrypted storage for them so I can retrieve them.

However, for Rowland’s wiki needs, what would be the correct way/command to export this so that the SPN listed is the one intended (i.e. HTTP/fqhn at realm) since using —principal=user exports a keytab with a user at realm, not the intended SPN?  I’m guessing we do it as you have suggested by leaving off the realm, and then for the added algorithms, we add them via ktutil.

Does that sound right?

Mike

More information about the samba mailing list