[Samba] Exporting keytab for SPN failure

Achim Gottinger achim at ag-web.biz
Thu Sep 15 08:20:23 UTC 2016 


Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba:
> On Wed, 14 Sep 2016 16:23:27 -0500
> Michael A Weber via samba <samba at lists.samba.org> wrote:
>
>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger <achim at ag-web.biz>
>>> wrote:
>>>
>>>
>>>
>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber:
>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger <achim at ag-web.biz
>>>>> <mailto:achim at ag-web.biz>> wrote:
>>>>>
>>>>>
>>>>>
>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber:
>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba
>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>>>>>>>> Question though, just for my curiosity:
>>>>>>>>
>>>>>>>> The encryption algorithms specified after each SPN:  I see
>>>>>>>> that aes-256 is listed when I export the user, but not the
>>>>>>>> SPN.  Are those expected, or have I done something wrong and
>>>>>>>> used incorrect algorithms somewhere?  I recall reading that
>>>>>>>> DES is not secure enough and that AES-256 (I think I read this
>>>>>>>> during TLS enablement) is what should be used.
>>>>>>> I get the same behaviour here. If i do nout use the FQDN and
>>>>>>> only the hostname without the domain part the aes keys are
>>>>>>> included. In your case --principal HTTP/intranet.
>>>>>> So, now I’m a little more confused.  I’ve added the SPN to the
>>>>>> user without the realm part, which succeeds.  I listed it to
>>>>>> verify, and it’s there (sanitized here):
>>>>>>
>>>>>> samba-tool spn list web-intranet-macmini
>>>>>> web-intranet-macmini
>>>>>> User
>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld
>>>>>> has the following servicePrincipalName:
>>>>>> HTTP/intranet.domain2.domain1.tld
>>>>>>
>>>>>> Then, if I go to export the keytab as you have indicated above
>>>>>> with —principal=HTTP/intranet it errors:
>>>>>>
>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab
>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught exception -
>>>>>> Key table entry not found File
>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>>>>>> line 175, in _run return self.run(*args, **kwargs) File
>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
>>>>>> line 129, in run net.export_keytab(keytab=keytab,
>>>>>> principal=principal)
>>>>>>
>>>>>> Should that command work?  Or, was that for
>>>>>> demonstration/explanation purposes only?  I’m assuming it worked
>>>>>> for you since you referenced my specific case.
>>>>>>
>>>>>> I feel I’m missing something.
>>>>>>
>>>>>>> The encryption methods used can be controlled with net ads
>>>>>>> enctypes.
>>>>>>>
>>>>>>> If i run (after kinit Administrator)
>>>>>>> net ads enctypes list dc1$
>>>>>>> i get
>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
>>>>>>> [X] 0x00000001 DES-CBC-CRC
>>>>>>> [X] 0x00000002 DES-CBC-MD5
>>>>>>> [X] 0x00000004 RC4-HMAC
>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>>
>>>>>> I get this as well.
>>>>>>
>>>>>>> If i use
>>>>>>> net ads enctypes list dc1.domain.local$
>>>>>>> i get
>>>>>>> no account found with filter:
>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$))
>>>>>>>
>>>>>> Again, I get this as well.
>>>>>>
>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar
>>>>>>> algorythm and therefore does not find the account and uses des
>>>>>>> and arcfour keys per default.
>>>>>>>
>>>>>>> -- 
>>>>>>> To unsubscribe from this list go to the following URL and read
>>>>>>> the instructions:
>>>>>>> https://lists.samba.org/mailman/options/samba
>>>>>>> <https://lists.samba.org/mailman/options/samba>
>>>>>> Mike
>>>>> Try this
>>>>> net ads enctypes set web-intranet-macmini 31
>>>>>
>>>>> Afterwards "domain export" will export also aes keys for the
>>>>> SPN's.
>>>> And, this is why I addressed you as “experts” earlier.  Indeed, it
>>>> did!
>>>>
>>>> Now, I’m going to use ktutil to pull these into my existing keytab
>>>> on the destination machine and begin my testing.
>>>>
>>>> Thank you tremendously (although I think we may have created hell
>>>> for Rowland with the wiki documentation)!
>>>>
>>>> Mike
>>> I was wondering about the missing aes keys for an while. So thanks
>>> for bringing it up on the list.
>>>
>>> If an user gets created the attribute msDS-SupportedEncryptionTypes
>>> remains undefined and in this case only des and rc4 keys are
>>> exported.
>>>
>>> net ads enctypes set [hostname] [key value] can be used to define
>>> the valid keys for an accound (and it's spn's).
>>>
>>> The key value is repesented as
>>> 0x00000001 DES-CBC-CRC
>>> 0x00000002 DES-CBC-MD5
>>> 0x00000004 RC4-HMAC
>>> 0x00000008 AES128-CTS-HMAC-SHA1-96
>>> 0x00000010 AES256-CTS-HMAC-SHA1-96
>> (you mean, 0x00000016, for the last entry)
>>
>>> So using 31 enables all of them. samba-tool domain exportkeytab
>>> does always export des and rc4 keys but honours 0x8 for aes128 and
>>> 0x10 for aes256. I assume if enctypes are set to 24 for example
>>> (only aes128/256) the server will honour this and decline des and
>>> rc4 attempts.
>>>
>>>
>>>
>> That’s interesting, indeed.
>>
>> Rowland—
>>
>> This whole thing seems to me like we are duplicating the
>> functionality of the ktpass command on a Windows AD.  With that
>> command, one would need to include an encoding type, and I’m just
>> wondering if it should be included in the wiki pages as well rather
>> than trying to add it back manually after the export.  Also,
>> something tells me that the ktpass command, when creating the SPN for
>> a user, also sets the required encoding type.
>>
>> Thoughts?
>>
>> Mike
> The problem is the command 'samba-tool spn add' does just that, it only
> adds the 'servicePrincipalName', no enctypes are mentioned.
>
> Exporting the keytab is the same, there is no mention of enctypes
>
> So, until this changes, the wiki can only document what actually
> happens.
>
> Rowland
>
Hello Rowland,

As I wrote before you can use the command

net ads enctypes set [username] 31

to convince domain export to export also the aes keys for the SPN's 
assigned to [username] like it is done for [username].
If only aes keys are wanted in the keytab file unwanted keys can be 
removed from the keytab file with ktutil.

See here for more info about "net ads enctypes" 
https://www.mail-archive.com/cifs-protocol@lists.samba.org/msg00062.html.
It controls which encryption types are used for ticket generation on the 
server.

achim~

More information about the samba mailing list