[Samba] Exporting keytab for SPN failure

Achim Gottinger achim at ag-web.biz
Wed Sep 14 19:00:28 UTC 2016

Am 14.09.2016 um 20:33 schrieb Michael A Weber:
>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger <achim at ag-web.biz 
>> <mailto:achim at ag-web.biz>> wrote:
>> Am 14.09.2016 um 19:53 schrieb Michael A Weber:
>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba 
>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>>>>> Question though, just for my curiosity:
>>>>> The encryption algorithms specified after each SPN:  I see that 
>>>>> aes-256 is listed when I export the user, but not the SPN.  Are 
>>>>> those expected, or have I done something wrong and used incorrect 
>>>>> algorithms somewhere?  I recall reading that DES is not secure 
>>>>> enough and that AES-256 (I think I read this during TLS 
>>>>> enablement) is what should be used.
>>>> I get the same behaviour here. If i do nout use the FQDN and only 
>>>> the hostname without the domain part the aes keys are included. In 
>>>> your case --principal HTTP/intranet.
>>> So, now I’m a little more confused.  I’ve added the SPN to the user 
>>> without the realm part, which succeeds.  I listed it to verify, and 
>>> it’s there (sanitized here):
>>> samba-tool spn list web-intranet-macmini
>>> web-intranet-macmini
>>> User CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld 
>>> has the following servicePrincipalName:
>>> HTTP/intranet.domain2.domain1.tld
>>> Then, if I go to export the keytab as you have indicated above with 
>>> —principal=HTTP/intranet it errors:
>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab 
>>> --principal=HTTP/intranet
>>> ERROR(runtime): uncaught exception - Key table entry not found
>>>   File 
>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 
>>> 175, in _run
>>>     return self.run(*args, **kwargs)
>>>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", 
>>> line 129, in run
>>> net.export_keytab(keytab=keytab, principal=principal)
>>> Should that command work?  Or, was that for 
>>> demonstration/explanation purposes only?  I’m assuming it worked for 
>>> you since you referenced my specific case.
>>> I feel I’m missing something.
>>>> The encryption methods used can be controlled with net ads enctypes.
>>>> If i run (after kinit Administrator)
>>>> net ads enctypes list dc1$
>>>> i get
>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
>>>> [X] 0x00000001 DES-CBC-CRC
>>>> [X] 0x00000002 DES-CBC-MD5
>>>> [X] 0x00000004 RC4-HMAC
>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>> I get this as well.
>>>> If i use
>>>> net ads enctypes list dc1.domain.local$
>>>> i get
>>>> no account found with filter: 
>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$))
>>> Again, I get this as well.
>>>> Seems "samba-tool domain exportkeytab" uses an similar algorythm 
>>>> and therefore does not find the account and uses des and arcfour 
>>>> keys per default.
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>> Mike
>> Try this
>> net ads enctypes set web-intranet-macmini 31
>> Afterwards "domain export" will export also aes keys for the SPN's.
> And, this is why I addressed you as “experts” earlier.  Indeed, it did!
> Now, I’m going to use ktutil to pull these into my existing keytab on 
> the destination machine and begin my testing.
> Thank you tremendously (although I think we may have created hell for 
> Rowland with the wiki documentation)!
> Mike
I was wondering about the missing aes keys for an while. So thanks for 
bringing it up on the list.

If an user gets created the attribute msDS-SupportedEncryptionTypes 
remains undefined and in this case only des and rc4 keys are exported.

net ads enctypes set [hostname] [key value] can be used to define the 
valid keys for an accound (and it's spn's).

The key value is repesented as
0x00000001 DES-CBC-CRC
0x00000002 DES-CBC-MD5
0x00000004 RC4-HMAC
0x00000008 AES128-CTS-HMAC-SHA1-96
0x00000010 AES256-CTS-HMAC-SHA1-96

So using 31 enables all of them. samba-tool domain exportkeytab does 
always export des and rc4 keys but honours 0x8 for aes128 and 0x10 for 
I assume if enctypes are set to 24 for example (only aes128/256) the 
server will honour this and decline des and rc4 attempts.

More information about the samba mailing list