[Samba] Exporting keytab for SPN failure

Fri Sep 16 20:43:42 UTC 2016


Am 16.09.2016 um 22:00 schrieb Robert Moulton via samba:
> Achim Gottinger via samba wrote on 9/15/16 1:20 AM:
>>
>>
>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba:
>>> On Wed, 14 Sep 2016 16:23:27 -0500
>>> Michael A Weber via samba <samba at lists.samba.org> wrote:
>>>
>>>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger <achim at ag-web.biz>
>>>>> wrote:
>>>>>
>>>>>
>>>>>
>>>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber:
>>>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger <achim at ag-web.biz
>>>>>>> <mailto:achim at ag-web.biz>> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber:
>>>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba
>>>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>>>>>>>>>> Question though, just for my curiosity:
>>>>>>>>>>
>>>>>>>>>> The encryption algorithms specified after each SPN:  I see
>>>>>>>>>> that aes-256 is listed when I export the user, but not the
>>>>>>>>>> SPN.  Are those expected, or have I done something wrong and
>>>>>>>>>> used incorrect algorithms somewhere?  I recall reading that
>>>>>>>>>> DES is not secure enough and that AES-256 (I think I read this
>>>>>>>>>> during TLS enablement) is what should be used.
>>>>>>>>> I get the same behaviour here. If i do nout use the FQDN and
>>>>>>>>> only the hostname without the domain part the aes keys are
>>>>>>>>> included. In your case --principal HTTP/intranet.
>>>>>>>> So, now I’m a little more confused.  I’ve added the SPN to the
>>>>>>>> user without the realm part, which succeeds.  I listed it to
>>>>>>>> verify, and it’s there (sanitized here):
>>>>>>>>
>>>>>>>> samba-tool spn list web-intranet-macmini
>>>>>>>> web-intranet-macmini
>>>>>>>> User
>>>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld
>>>>>>>> has the following servicePrincipalName:
>>>>>>>> HTTP/intranet.domain2.domain1.tld
>>>>>>>>
>>>>>>>> Then, if I go to export the keytab as you have indicated above
>>>>>>>> with —principal=HTTP/intranet it errors:
>>>>>>>>
>>>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab
>>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught exception -
>>>>>>>> Key table entry not found File
>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>>>>>>>> line 175, in _run return self.run(*args, **kwargs) File
>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
>>>>>>>> line 129, in run net.export_keytab(keytab=keytab,
>>>>>>>> principal=principal)
>>>>>>>>
>>>>>>>> Should that command work?  Or, was that for
>>>>>>>> demonstration/explanation purposes only?  I’m assuming it worked
>>>>>>>> for you since you referenced my specific case.
>>>>>>>>
>>>>>>>> I feel I’m missing something.
>>>>>>>>
>>>>>>>>> The encryption methods used can be controlled with net ads
>>>>>>>>> enctypes.
>>>>>>>>>
>>>>>>>>> If i run (after kinit Administrator)
>>>>>>>>> net ads enctypes list dc1$
>>>>>>>>> i get
>>>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
>>>>>>>>> [X] 0x00000001 DES-CBC-CRC
>>>>>>>>> [X] 0x00000002 DES-CBC-MD5
>>>>>>>>> [X] 0x00000004 RC4-HMAC
>>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>>>>
>>>>>>>> I get this as well.
>>>>>>>>
>>>>>>>>> If i use
>>>>>>>>> net ads enctypes list dc1.domain.local$
>>>>>>>>> i get
>>>>>>>>> no account found with filter:
>>>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$))
>>>>>>>>>
>>>>>>>> Again, I get this as well.
>>>>>>>>
>>>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar
>>>>>>>>> algorythm and therefore does not find the account and uses des
>>>>>>>>> and arcfour keys per default.
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> To unsubscribe from this list go to the following URL and read
>>>>>>>>> the instructions:
>>>>>>>>> https://lists.samba.org/mailman/options/samba
>>>>>>>>> <https://lists.samba.org/mailman/options/samba>
>>>>>>>> Mike
>>>>>>> Try this
>>>>>>> net ads enctypes set web-intranet-macmini 31
>>>>>>>
>>>>>>> Afterwards "domain export" will export also aes keys for the
>>>>>>> SPN's.
>>>>>> And, this is why I addressed you as “experts” earlier. Indeed, it
>>>>>> did!
>>>>>>
>>>>>> Now, I’m going to use ktutil to pull these into my existing keytab
>>>>>> on the destination machine and begin my testing.
>>>>>>
>>>>>> Thank you tremendously (although I think we may have created hell
>>>>>> for Rowland with the wiki documentation)!
>>>>>>
>>>>>> Mike
>>>>> I was wondering about the missing aes keys for an while. So thanks
>>>>> for bringing it up on the list.
>>>>>
>>>>> If an user gets created the attribute msDS-SupportedEncryptionTypes
>>>>> remains undefined and in this case only des and rc4 keys are
>>>>> exported.
>>>>>
>>>>> net ads enctypes set [hostname] [key value] can be used to define
>>>>> the valid keys for an accound (and it's spn's).
>>>>>
>>>>> The key value is repesented as
>>>>> 0x00000001 DES-CBC-CRC
>>>>> 0x00000002 DES-CBC-MD5
>>>>> 0x00000004 RC4-HMAC
>>>>> 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>> 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>> (you mean, 0x00000016, for the last entry)
>>>>
>>>>> So using 31 enables all of them. samba-tool domain exportkeytab
>>>>> does always export des and rc4 keys but honours 0x8 for aes128 and
>>>>> 0x10 for aes256. I assume if enctypes are set to 24 for example
>>>>> (only aes128/256) the server will honour this and decline des and
>>>>> rc4 attempts.
>>>>>
>>>>>
>>>>>
>>>> That’s interesting, indeed.
>>>>
>>>> Rowland—
>>>>
>>>> This whole thing seems to me like we are duplicating the
>>>> functionality of the ktpass command on a Windows AD.  With that
>>>> command, one would need to include an encoding type, and I’m just
>>>> wondering if it should be included in the wiki pages as well rather
>>>> than trying to add it back manually after the export.  Also,
>>>> something tells me that the ktpass command, when creating the SPN for
>>>> a user, also sets the required encoding type.
>>>>
>>>> Thoughts?
>>>>
>>>> Mike
>>> The problem is the command 'samba-tool spn add' does just that, it only
>>> adds the 'servicePrincipalName', no enctypes are mentioned.
>>>
>>> Exporting the keytab is the same, there is no mention of enctypes
>>>
>>> So, until this changes, the wiki can only document what actually
>>> happens.
>>>
>>> Rowland
>>>
>> Hello Rowland,
>>
>> As I wrote before you can use the command
>>
>> net ads enctypes set [username] 31
>>
>> to convince domain export to export also the aes keys for the SPN's
>> assigned to [username] like it is done for [username].
>> If only aes keys are wanted in the keytab file unwanted keys can be
>> removed from the keytab file with ktutil.
>>
>> See here for more info about "net ads enctypes"
>> https://www.mail-archive.com/cifs-protocol@lists.samba.org/msg00062.html. 
>>
>> It controls which encryption types are used for ticket generation on the
>> server.
>>
>> achim~
>
> I've been trying to follow this thread but admit I'm still missing 
> something. Given the example below, what needs to be done to get the 
> aes keys in the keytab, exactly?
>
> # net ads enctypes list hostname$
> 'hostname$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
> [X] 0x00000001 DES-CBC-CRC
> [X] 0x00000002 DES-CBC-MD5
> [X] 0x00000004 RC4-HMAC
> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>
> # samba-tool domain exportkeytab test --principal=hostname$
>
> # klist -ke test
> Keytab name: FILE:test
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>    1 hostname$@EXAMPLE.COM (des-cbc-crc)
>    1 hostname$@EXAMPLE.COM (des-cbc-md5)
>    1 hostname$@EXAMPLE.COM (arcfour-hmac)
>
What version of samba are you using? For my tests i used 4.4.5. "net 
enctypes" was added wth version 4.2.10.
Setting enctypes was only necessary here for aes keys with spn's as 
principals. upn's/usernames always export the aes keys here.