[Samba] Exporting keytab for SPN failure

Robert Moulton rmoulton at uw.edu
Fri Sep 16 20:00:52 UTC 2016

Achim Gottinger via samba wrote on 9/15/16 1:20 AM:
> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba:
>> On Wed, 14 Sep 2016 16:23:27 -0500
>> Michael A Weber via samba <samba at lists.samba.org> wrote:
>>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger <achim at ag-web.biz>
>>>> wrote:
>>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber:
>>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger <achim at ag-web.biz
>>>>>> <mailto:achim at ag-web.biz>> wrote:
>>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber:
>>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba
>>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>>>>>>>>> Question though, just for my curiosity:
>>>>>>>>> The encryption algorithms specified after each SPN:  I see
>>>>>>>>> that aes-256 is listed when I export the user, but not the
>>>>>>>>> SPN.  Are those expected, or have I done something wrong and
>>>>>>>>> used incorrect algorithms somewhere?  I recall reading that
>>>>>>>>> DES is not secure enough and that AES-256 (I think I read this
>>>>>>>>> during TLS enablement) is what should be used.
>>>>>>>> I get the same behaviour here. If i do nout use the FQDN and
>>>>>>>> only the hostname without the domain part the aes keys are
>>>>>>>> included. In your case --principal HTTP/intranet.
>>>>>>> So, now I’m a little more confused.  I’ve added the SPN to the
>>>>>>> user without the realm part, which succeeds.  I listed it to
>>>>>>> verify, and it’s there (sanitized here):
>>>>>>> samba-tool spn list web-intranet-macmini
>>>>>>> web-intranet-macmini
>>>>>>> User
>>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld
>>>>>>> has the following servicePrincipalName:
>>>>>>> HTTP/intranet.domain2.domain1.tld
>>>>>>> Then, if I go to export the keytab as you have indicated above
>>>>>>> with —principal=HTTP/intranet it errors:
>>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab
>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught exception -
>>>>>>> Key table entry not found File
>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>>>>>>> line 175, in _run return self.run(*args, **kwargs) File
>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
>>>>>>> line 129, in run net.export_keytab(keytab=keytab,
>>>>>>> principal=principal)
>>>>>>> Should that command work?  Or, was that for
>>>>>>> demonstration/explanation purposes only?  I’m assuming it worked
>>>>>>> for you since you referenced my specific case.
>>>>>>> I feel I’m missing something.
>>>>>>>> The encryption methods used can be controlled with net ads
>>>>>>>> enctypes.
>>>>>>>> If i run (after kinit Administrator)
>>>>>>>> net ads enctypes list dc1$
>>>>>>>> i get
>>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
>>>>>>>> [X] 0x00000001 DES-CBC-CRC
>>>>>>>> [X] 0x00000002 DES-CBC-MD5
>>>>>>>> [X] 0x00000004 RC4-HMAC
>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>> I get this as well.
>>>>>>>> If i use
>>>>>>>> net ads enctypes list dc1.domain.local$
>>>>>>>> i get
>>>>>>>> no account found with filter:
>>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$))
>>>>>>> Again, I get this as well.
>>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar
>>>>>>>> algorythm and therefore does not find the account and uses des
>>>>>>>> and arcfour keys per default.
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read
>>>>>>>> the instructions:
>>>>>>>> https://lists.samba.org/mailman/options/samba
>>>>>>>> <https://lists.samba.org/mailman/options/samba>
>>>>>>> Mike
>>>>>> Try this
>>>>>> net ads enctypes set web-intranet-macmini 31
>>>>>> Afterwards "domain export" will export also aes keys for the
>>>>>> SPN's.
>>>>> And, this is why I addressed you as “experts” earlier.  Indeed, it
>>>>> did!
>>>>> Now, I’m going to use ktutil to pull these into my existing keytab
>>>>> on the destination machine and begin my testing.
>>>>> Thank you tremendously (although I think we may have created hell
>>>>> for Rowland with the wiki documentation)!
>>>>> Mike
>>>> I was wondering about the missing aes keys for an while. So thanks
>>>> for bringing it up on the list.
>>>> If an user gets created the attribute msDS-SupportedEncryptionTypes
>>>> remains undefined and in this case only des and rc4 keys are
>>>> exported.
>>>> net ads enctypes set [hostname] [key value] can be used to define
>>>> the valid keys for an accound (and it's spn's).
>>>> The key value is repesented as
>>>> 0x00000001 DES-CBC-CRC
>>>> 0x00000002 DES-CBC-MD5
>>>> 0x00000004 RC4-HMAC
>>>> 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>> 0x00000010 AES256-CTS-HMAC-SHA1-96
>>> (you mean, 0x00000016, for the last entry)
>>>> So using 31 enables all of them. samba-tool domain exportkeytab
>>>> does always export des and rc4 keys but honours 0x8 for aes128 and
>>>> 0x10 for aes256. I assume if enctypes are set to 24 for example
>>>> (only aes128/256) the server will honour this and decline des and
>>>> rc4 attempts.
>>> That’s interesting, indeed.
>>> Rowland—
>>> This whole thing seems to me like we are duplicating the
>>> functionality of the ktpass command on a Windows AD.  With that
>>> command, one would need to include an encoding type, and I’m just
>>> wondering if it should be included in the wiki pages as well rather
>>> than trying to add it back manually after the export.  Also,
>>> something tells me that the ktpass command, when creating the SPN for
>>> a user, also sets the required encoding type.
>>> Thoughts?
>>> Mike
>> The problem is the command 'samba-tool spn add' does just that, it only
>> adds the 'servicePrincipalName', no enctypes are mentioned.
>> Exporting the keytab is the same, there is no mention of enctypes
>> So, until this changes, the wiki can only document what actually
>> happens.
>> Rowland
> Hello Rowland,
> As I wrote before you can use the command
> net ads enctypes set [username] 31
> to convince domain export to export also the aes keys for the SPN's
> assigned to [username] like it is done for [username].
> If only aes keys are wanted in the keytab file unwanted keys can be
> removed from the keytab file with ktutil.
> See here for more info about "net ads enctypes"
> https://www.mail-archive.com/cifs-protocol@lists.samba.org/msg00062.html.
> It controls which encryption types are used for ticket generation on the
> server.
> achim~

I've been trying to follow this thread but admit I'm still missing 
something. Given the example below, what needs to be done to get the aes 
keys in the keytab, exactly?

# net ads enctypes list hostname$
'hostname$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
[X] 0x00000001 DES-CBC-CRC
[X] 0x00000002 DES-CBC-MD5
[X] 0x00000004 RC4-HMAC
[X] 0x00000008 AES128-CTS-HMAC-SHA1-96
[X] 0x00000010 AES256-CTS-HMAC-SHA1-96

# samba-tool domain exportkeytab test --principal=hostname$

# klist -ke test
Keytab name: FILE:test
KVNO Principal
    1 hostname$@EXAMPLE.COM (des-cbc-crc)
    1 hostname$@EXAMPLE.COM (des-cbc-md5)
    1 hostname$@EXAMPLE.COM (arcfour-hmac)

More information about the samba mailing list