[Samba] Exporting keytab for SPN failure

Rowland Penny rpenny at samba.org
Wed Sep 14 18:28:40 UTC 2016 

On Wed, 14 Sep 2016 13:21:16 -0500
Michael A Weber via samba <samba at lists.samba.org> wrote:

> 
> > On Sep 14, 2016, at 12:57 PM, Achim Gottinger <achim at ag-web.biz>
> > wrote:
> > 
> > 
> > 
> > Am 14.09.2016 um 18:23 schrieb Michael A Weber:
> >> 
> >>> On Sep 14, 2016, at 10:44 AM, Achim Gottinger via samba
> >>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
> >>> 
> >>> 
> >>> 
> >>> Am 14.09.2016 um 05:53 schrieb Michael A Weber via samba:
> >>>> Experts—
> >>>> 
> >>>> I’m attempting to export a keytab for a created SPN on the AD DC
> >>>> machine but I’m receiving an error:
> >>>> 
> >>>> ERROR(runtime): uncaught exception - Key table entry not found
> >>>>   File
> >>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> >>>> line 175, in _run return self.run(*args, **kwargs) File
> >>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> >>>> line 129, in run net.export_keytab(keytab=keytab,
> >>>> principal=principal)
> >>>> 
> >>>> Steps taken to recreate:
> >>>> 
> >>>> 1.  Create a user for the SPN
> >>>> 
> >>>> samba-tool user create web-intranet-macmini
> >>>> <provided password when prompted>
> >>>> 
> >>>> 2.  Add the SPN:
> >>>> 
> >>>> samba-tool spn add
> >>>> HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
> >>>> <mailto:HTTP/hostname.domain2.domain1.tld at domain2.domain1.tld>
> >>>> web-intranet-macmini <succeeded without error>
> >>>> 
> >>>> 3.  Export the keytab file to be used on the intranet host:
> >>>> 
> >>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab
> >>>> —principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
> >>>> <mailto:principal=HTTP/hostname.domain2.domain1.tld at domain2.domain1.tld>
> >>>> 
> >>>> <Get the error listed above>
> >>>> 
> >>>> Now, I tried adding another SPN without the realm, and exporting
> >>>> without the realm, and I did not receive an error.
> >>>> 
> >>>> I then deleted both SPNs via samba-tool spn delete, recreated
> >>>> the SPN using the realm just to make sure I’m not completely
> >>>> crazy and didn’t fat finger anything (and to make sure my
> >>>> contact lenses are making me see what I think I’m seeing) and I
> >>>> still get the error.
> >>>> 
> >>>> When I do samba-tool spn list web-intranet-macmini, I see the
> >>>> SPN(s) associated with that user, and they are correct.
> >>>> 
> >>>> Is there something glaringly obvious I’m missing?
> >>>> 
> >>>> Mike
> >>> Last time i created an SPN it was not neccessary to add the realm
> >>> part when creating the realm. It should be added automatically
> >>> adn you can verify it with klist -Kek [your keytabfile]
> >>> 
> >>> -- 
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>> <https://lists.samba.org/mailman/options/samba>
> >> 
> >> I did previously create an SPN without the realm, but the SPN
> >> attribute on the user also did not contain the realm.  Then, I
> >> deleted the SPN and re-created it with the realm.
> >> 
> >> Achim, I just tested your recommendation and verified with the
> >> klist command above, and they do look correct (sanitized below, of
> >> course):
> >> 
> >> Keytab name: FILE:/root/intranet-macmini.keytab
> >> <file:///root/intranet-macmini.keytab> KVNO Principal
> >> ----
> >> --------------------------------------------------------------------------
> >> 1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
> >> <mailto:HTTP/intranet.domain2.domain1.tld at domain2.domain1.tld>
> >> (des-cbc-crc) 1
> >> HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
> >> <mailto:domain2.domain1.tld at domain2.domain1.tld> (des-cbc-md5) 1
> >> HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
> >> <mailto:domain2.domain1.tld at domain2.domain1.tld> (arcfour-hmac)
> >> 
> >> 
> >> 
> >>> On Sep 14, 2016, at 1:38 AM, Rowland Penny via samba
> >>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
> >>> 
> >>> Yes, the principal isn't the SPN when you try to export the
> >>> keytab, it is the user.
> >>> 
> >>> Rowland
> >>> 
> >> 
> >> 
> >> 
> >> Rowland, when I use your method of specifying the principal as the
> >> user and not the SPN, I get what I would think for Apache would be
> >> a completely incorrect keytab as verified by the klist -Kek
> >> command:
> >> 
> >> Keytab name: FILE:/root/intranet-macmini.keytab
> >> <file:///root/intranet-macmini.keytab> KVNO Principal
> >> ----
> >> --------------------------------------------------------------------------
> >> 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD
> >> <mailto:web-intranet-macmini at domain2.domain1.tld> (des-cbc-crc) 1
> >> web-intranet-macmini at DOMAIN2.DOMAIN1.TLD
> >> <mailto:web-intranet-macmini at domain2.domain1.tld> (des-cbc-md5) 1
> >> web-intranet-macmini at DOMAIN2.DOMAIN1.TLD
> >> <mailto:web-intranet-macmini at domain2.domain1.tld>
> >> (aes128-cts-hmac-sha1-96) 1
> >> web-intranet-macmini at DOMAIN2.DOMAIN1.TLD
> >> <mailto:web-intranet-macmini at domain2.domain1.tld>
> >> (aes256-cts-hmac-sha1-96) 1
> >> web-intranet-macmini at DOMAIN2.DOMAIN1.TLD
> >> <mailto:web-intranet-macmini at domain2.domain1.tld> (arcfour-hmac)
> >> 
> >> 
> >> Experts--
> >> 
> >> So, which method is the correct way to export a keytab for an SPN
> >> for, say, Apache?
> >> 
> >> Question though, just for my curiosity:
> >> 
> >> The encryption algorithms specified after each SPN:  I see that
> >> aes-256 is listed when I export the user, but not the SPN.  Are
> >> those expected, or have I done something wrong and used incorrect
> >> algorithms somewhere?  I recall reading that DES is not secure
> >> enough and that AES-256 (I think I read this during TLS
> >> enablement) is what should be used.
> >> 
> >> Mike
> > You can use ktutil to add the aes keys manual. You can not use an
> > random password for the user account with this.
> > 
> > #ktutil
> > ktutil: rkt [keytabfile]
> > ktutil: addent -password -p
> > HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
> > <mailto:domain2.domain1.tld at domain2.domain1.tld> -k 1 -e
> > aes256-cts-hmac-sha1-96 ktutil: [enter the password used for
> > web-intranet-macmini] ktutil: wkt [keytabfile] ktutil: q
> > 
> > I have not tested this but it should work used an similar approach
> > with samba 4.0 for imap and smtp principals.
> 
> I just did this, and I confirm, it did work.  Fortunately for me, I
> don’t use random password for the user account, but rather a password
> generator and an encrypted storage for them so I can retrieve them.
> 
> However, for Rowland’s wiki needs, what would be the correct
> way/command to export this so that the SPN listed is the one intended
> (i.e. HTTP/fqhn at realm) since using —principal=user exports a keytab
> with a user at realm, not the intended SPN?  I’m guessing we do it as
> you have suggested by leaving off the realm, and then for the added
> algorithms, we add them via ktutil.
> 
> Does that sound right?
> 
> Mike
> 

I have already fixed the wiki and if you create the keytab using the
user, you get this:

root at dc1:~# ktutil
ktutil:  rkt /root/ktestuser.keytab 
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2             ktestuser at SAMDOM.EXAMPLE.COM
   2    2             ktestuser at SAMDOM.EXAMPLE.COM
   3    2             ktestuser at SAMDOM.EXAMPLE.COM
   4    2             ktestuser at SAMDOM.EXAMPLE.COM
   5    2             ktestuser at SAMDOM.EXAMPLE.COM
ktutil: q 

And if you use the spn, you get this:

root at dc1:~# ktutil
ktutil:  rkt /root/ktestuser1.keytab 
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2 HTTP/dc1.samdom.example.com at SAMDOM.EXAMPLE.COM
   2    2 HTTP/dc1.samdom.example.com at SAMDOM.EXAMPLE.COM
   3    2 HTTP/dc1.samdom.example.com at SAMDOM.EXAMPLE.COM
ktutil:  q

Rowland

More information about the samba mailing list