[Samba] Exporting keytab for SPN failure

Michael A Weber mweber.subscriptions01 at gmail.com
Wed Sep 14 18:33:45 UTC 2016 

> On Sep 14, 2016, at 1:10 PM, Achim Gottinger <achim at ag-web.biz> wrote:
> 
> 
> 
> Am 14.09.2016 um 19:53 schrieb Michael A Weber:
>> 
>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>> 
>>> 
>>> 
>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>>>> Question though, just for my curiosity:
>>>> 
>>>> The encryption algorithms specified after each SPN:  I see that aes-256 is listed when I export the user, but not the SPN.  Are those expected, or have I done something wrong and used incorrect algorithms somewhere?  I recall reading that DES is not secure enough and that AES-256 (I think I read this during TLS enablement) is what should be used.
>>> I get the same behaviour here. If i do nout use the FQDN and only the hostname without the domain part the aes keys are included. In your case --principal HTTP/intranet.
>> 
>> So, now I’m a little more confused.  I’ve added the SPN to the user without the realm part, which succeeds.  I listed it to verify, and it’s there (sanitized here):
>> 
>> samba-tool spn list web-intranet-macmini
>> web-intranet-macmini
>> User CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld has the following servicePrincipalName: 
>> 	 HTTP/intranet.domain2.domain1.tld
>> 
>> Then, if I go to export the keytab as you have indicated above with —principal=HTTP/intranet it errors:
>> 
>> samba-tool domain exportkeytab ~/intranet-macmini.keytab --principal=HTTP/intranet
>> ERROR(runtime): uncaught exception - Key table entry not found
>>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
>>     return self.run(*args, **kwargs)
>>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 129, in run
>>     net.export_keytab(keytab=keytab, principal=principal)
>> 
>> Should that command work?  Or, was that for demonstration/explanation purposes only?  I’m assuming it worked for you since you referenced my specific case.
>> 
>> I feel I’m missing something.
>> 
>>> 
>>> The encryption methods used can be controlled with net ads enctypes.
>>> 
>>> If i run (after kinit Administrator)
>>> net ads enctypes list dc1$
>>> i get
>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
>>> [X] 0x00000001 DES-CBC-CRC
>>> [X] 0x00000002 DES-CBC-MD5
>>> [X] 0x00000004 RC4-HMAC
>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>> 
>> 
>> I get this as well.
>> 
>>> If i use
>>> net ads enctypes list dc1.domain.local$
>>> i get
>>> no account found with filter: (&(objectclass=user)(sAMAccountName=dc1.domain.local$))
>>> 
>> 
>> Again, I get this as well.
>> 
>>> Seems "samba-tool domain exportkeytab" uses an similar algorythm and therefore does not find the account and uses des and arcfour keys per default.
>>> 
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
>> 
>> Mike
> Try this 
> net ads enctypes set web-intranet-macmini 31
> 
> Afterwards "domain export" will export also aes keys for the SPN's.

And, this is why I addressed you as “experts” earlier.  Indeed, it did!

Now, I’m going to use ktutil to pull these into my existing keytab on the destination machine and begin my testing.

Thank you tremendously (although I think we may have created hell for Rowland with the wiki documentation)!

Mike

More information about the samba mailing list