[Samba] Exporting keytab for SPN failure

Michael A Weber mweber.subscriptions01 at gmail.com
Wed Sep 14 21:23:27 UTC 2016 

> On Sep 14, 2016, at 2:00 PM, Achim Gottinger <achim at ag-web.biz> wrote:
> 
> 
> 
> Am 14.09.2016 um 20:33 schrieb Michael A Weber:
>> 
>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger <achim at ag-web.biz <mailto:achim at ag-web.biz>> wrote:
>>> 
>>> 
>>> 
>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber:
>>>> 
>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>>>>>> Question though, just for my curiosity:
>>>>>> 
>>>>>> The encryption algorithms specified after each SPN:  I see that aes-256 is listed when I export the user, but not the SPN.  Are those expected, or have I done something wrong and used incorrect algorithms somewhere?  I recall reading that DES is not secure enough and that AES-256 (I think I read this during TLS enablement) is what should be used.
>>>>> I get the same behaviour here. If i do nout use the FQDN and only the hostname without the domain part the aes keys are included. In your case --principal HTTP/intranet.
>>>> 
>>>> So, now I’m a little more confused.  I’ve added the SPN to the user without the realm part, which succeeds.  I listed it to verify, and it’s there (sanitized here):
>>>> 
>>>> samba-tool spn list web-intranet-macmini
>>>> web-intranet-macmini
>>>> User CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld has the following servicePrincipalName: 
>>>> 	 HTTP/intranet.domain2.domain1.tld
>>>> 
>>>> Then, if I go to export the keytab as you have indicated above with —principal=HTTP/intranet it errors:
>>>> 
>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab --principal=HTTP/intranet
>>>> ERROR(runtime): uncaught exception - Key table entry not found
>>>>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
>>>>     return self.run(*args, **kwargs)
>>>>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 129, in run
>>>>     net.export_keytab(keytab=keytab, principal=principal)
>>>> 
>>>> Should that command work?  Or, was that for demonstration/explanation purposes only?  I’m assuming it worked for you since you referenced my specific case.
>>>> 
>>>> I feel I’m missing something.
>>>> 
>>>>> 
>>>>> The encryption methods used can be controlled with net ads enctypes.
>>>>> 
>>>>> If i run (after kinit Administrator)
>>>>> net ads enctypes list dc1$
>>>>> i get
>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
>>>>> [X] 0x00000001 DES-CBC-CRC
>>>>> [X] 0x00000002 DES-CBC-MD5
>>>>> [X] 0x00000004 RC4-HMAC
>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>> 
>>>> 
>>>> I get this as well.
>>>> 
>>>>> If i use
>>>>> net ads enctypes list dc1.domain.local$
>>>>> i get
>>>>> no account found with filter: (&(objectclass=user)(sAMAccountName=dc1.domain.local$))
>>>>> 
>>>> 
>>>> Again, I get this as well.
>>>> 
>>>>> Seems "samba-tool domain exportkeytab" uses an similar algorythm and therefore does not find the account and uses des and arcfour keys per default.
>>>>> 
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
>>>> 
>>>> Mike
>>> Try this 
>>> net ads enctypes set web-intranet-macmini 31
>>> 
>>> Afterwards "domain export" will export also aes keys for the SPN's.
>> 
>> And, this is why I addressed you as “experts” earlier.  Indeed, it did!
>> 
>> Now, I’m going to use ktutil to pull these into my existing keytab on the destination machine and begin my testing.
>> 
>> Thank you tremendously (although I think we may have created hell for Rowland with the wiki documentation)!
>> 
>> Mike
> I was wondering about the missing aes keys for an while. So thanks for bringing it up on the list.
> 
> If an user gets created the attribute msDS-SupportedEncryptionTypes remains undefined and in this case only des and rc4 keys are exported.
> 
> net ads enctypes set [hostname] [key value] can be used to define the valid keys for an accound (and it's spn's).
> 
> The key value is repesented as
> 0x00000001 DES-CBC-CRC
> 0x00000002 DES-CBC-MD5
> 0x00000004 RC4-HMAC
> 0x00000008 AES128-CTS-HMAC-SHA1-96
> 0x00000010 AES256-CTS-HMAC-SHA1-96

(you mean, 0x00000016, for the last entry)

> 
> So using 31 enables all of them. samba-tool domain exportkeytab does always export des and rc4 keys but honours 0x8 for aes128 and 0x10 for aes256.
> I assume if enctypes are set to 24 for example (only aes128/256) the server will honour this and decline des and rc4 attempts.
> 
> 
> 

That’s interesting, indeed.

Rowland—

This whole thing seems to me like we are duplicating the functionality of the ktpass command on a Windows AD.  With that command, one would need to include an encoding type, and I’m just wondering if it should be included in the wiki pages as well rather than trying to add it back manually after the export.  Also, something tells me that the ktpass command, when creating the SPN for a user, also sets the required encoding type.

Thoughts?

Mike

More information about the samba mailing list