[Samba] Exporting keytab for SPN failure

Rowland Penny rpenny at samba.org
Fri Sep 16 20:43:18 UTC 2016 

On Fri, 16 Sep 2016 13:00:52 -0700
Robert Moulton via samba <samba at lists.samba.org> wrote:

> Achim Gottinger via samba wrote on 9/15/16 1:20 AM:
> >
> >
> > Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba:
> >> On Wed, 14 Sep 2016 16:23:27 -0500
> >> Michael A Weber via samba <samba at lists.samba.org> wrote:
> >>
> >>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger <achim at ag-web.biz>
> >>>> wrote:
> >>>>
> >>>>
> >>>>
> >>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber:
> >>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger <achim at ag-web.biz
> >>>>>> <mailto:achim at ag-web.biz>> wrote:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber:
> >>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba
> >>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
> >>>>>>>>> Question though, just for my curiosity:
> >>>>>>>>>
> >>>>>>>>> The encryption algorithms specified after each SPN:  I see
> >>>>>>>>> that aes-256 is listed when I export the user, but not the
> >>>>>>>>> SPN.  Are those expected, or have I done something wrong and
> >>>>>>>>> used incorrect algorithms somewhere?  I recall reading that
> >>>>>>>>> DES is not secure enough and that AES-256 (I think I read
> >>>>>>>>> this during TLS enablement) is what should be used.
> >>>>>>>> I get the same behaviour here. If i do nout use the FQDN and
> >>>>>>>> only the hostname without the domain part the aes keys are
> >>>>>>>> included. In your case --principal HTTP/intranet.
> >>>>>>> So, now I’m a little more confused.  I’ve added the SPN to the
> >>>>>>> user without the realm part, which succeeds.  I listed it to
> >>>>>>> verify, and it’s there (sanitized here):
> >>>>>>>
> >>>>>>> samba-tool spn list web-intranet-macmini
> >>>>>>> web-intranet-macmini
> >>>>>>> User
> >>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld
> >>>>>>> has the following servicePrincipalName:
> >>>>>>> HTTP/intranet.domain2.domain1.tld
> >>>>>>>
> >>>>>>> Then, if I go to export the keytab as you have indicated above
> >>>>>>> with —principal=HTTP/intranet it errors:
> >>>>>>>
> >>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab
> >>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught exception -
> >>>>>>> Key table entry not found File
> >>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> >>>>>>> line 175, in _run return self.run(*args, **kwargs) File
> >>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> >>>>>>> line 129, in run net.export_keytab(keytab=keytab,
> >>>>>>> principal=principal)
> >>>>>>>
> >>>>>>> Should that command work?  Or, was that for
> >>>>>>> demonstration/explanation purposes only?  I’m assuming it
> >>>>>>> worked for you since you referenced my specific case.
> >>>>>>>
> >>>>>>> I feel I’m missing something.
> >>>>>>>
> >>>>>>>> The encryption methods used can be controlled with net ads
> >>>>>>>> enctypes.
> >>>>>>>>
> >>>>>>>> If i run (after kinit Administrator)
> >>>>>>>> net ads enctypes list dc1$
> >>>>>>>> i get
> >>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
> >>>>>>>> [X] 0x00000001 DES-CBC-CRC
> >>>>>>>> [X] 0x00000002 DES-CBC-MD5
> >>>>>>>> [X] 0x00000004 RC4-HMAC
> >>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
> >>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
> >>>>>>>>
> >>>>>>> I get this as well.
> >>>>>>>
> >>>>>>>> If i use
> >>>>>>>> net ads enctypes list dc1.domain.local$
> >>>>>>>> i get
> >>>>>>>> no account found with filter:
> >>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$))
> >>>>>>>>
> >>>>>>> Again, I get this as well.
> >>>>>>>
> >>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar
> >>>>>>>> algorythm and therefore does not find the account and uses
> >>>>>>>> des and arcfour keys per default.
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> To unsubscribe from this list go to the following URL and
> >>>>>>>> read the instructions:
> >>>>>>>> https://lists.samba.org/mailman/options/samba
> >>>>>>>> <https://lists.samba.org/mailman/options/samba>
> >>>>>>> Mike
> >>>>>> Try this
> >>>>>> net ads enctypes set web-intranet-macmini 31
> >>>>>>
> >>>>>> Afterwards "domain export" will export also aes keys for the
> >>>>>> SPN's.
> >>>>> And, this is why I addressed you as “experts” earlier.  Indeed,
> >>>>> it did!
> >>>>>
> >>>>> Now, I’m going to use ktutil to pull these into my existing
> >>>>> keytab on the destination machine and begin my testing.
> >>>>>
> >>>>> Thank you tremendously (although I think we may have created
> >>>>> hell for Rowland with the wiki documentation)!
> >>>>>
> >>>>> Mike
> >>>> I was wondering about the missing aes keys for an while. So
> >>>> thanks for bringing it up on the list.
> >>>>
> >>>> If an user gets created the attribute
> >>>> msDS-SupportedEncryptionTypes remains undefined and in this case
> >>>> only des and rc4 keys are exported.
> >>>>
> >>>> net ads enctypes set [hostname] [key value] can be used to define
> >>>> the valid keys for an accound (and it's spn's).
> >>>>
> >>>> The key value is repesented as
> >>>> 0x00000001 DES-CBC-CRC
> >>>> 0x00000002 DES-CBC-MD5
> >>>> 0x00000004 RC4-HMAC
> >>>> 0x00000008 AES128-CTS-HMAC-SHA1-96
> >>>> 0x00000010 AES256-CTS-HMAC-SHA1-96
> >>> (you mean, 0x00000016, for the last entry)
> >>>
> >>>> So using 31 enables all of them. samba-tool domain exportkeytab
> >>>> does always export des and rc4 keys but honours 0x8 for aes128
> >>>> and 0x10 for aes256. I assume if enctypes are set to 24 for
> >>>> example (only aes128/256) the server will honour this and
> >>>> decline des and rc4 attempts.
> >>>>
> >>>>
> >>>>
> >>> That’s interesting, indeed.
> >>>
> >>> Rowland—
> >>>
> >>> This whole thing seems to me like we are duplicating the
> >>> functionality of the ktpass command on a Windows AD.  With that
> >>> command, one would need to include an encoding type, and I’m just
> >>> wondering if it should be included in the wiki pages as well
> >>> rather than trying to add it back manually after the export.
> >>> Also, something tells me that the ktpass command, when creating
> >>> the SPN for a user, also sets the required encoding type.
> >>>
> >>> Thoughts?
> >>>
> >>> Mike
> >> The problem is the command 'samba-tool spn add' does just that, it
> >> only adds the 'servicePrincipalName', no enctypes are mentioned.
> >>
> >> Exporting the keytab is the same, there is no mention of enctypes
> >>
> >> So, until this changes, the wiki can only document what actually
> >> happens.
> >>
> >> Rowland
> >>
> > Hello Rowland,
> >
> > As I wrote before you can use the command
> >
> > net ads enctypes set [username] 31
> >
> > to convince domain export to export also the aes keys for the SPN's
> > assigned to [username] like it is done for [username].
> > If only aes keys are wanted in the keytab file unwanted keys can be
> > removed from the keytab file with ktutil.
> >
> > See here for more info about "net ads enctypes"
> > https://www.mail-archive.com/cifs-protocol@lists.samba.org/msg00062.html.
> > It controls which encryption types are used for ticket generation
> > on the server.
> >
> > achim~
> 
> I've been trying to follow this thread but admit I'm still missing 
> something. Given the example below, what needs to be done to get the
> aes keys in the keytab, exactly?
> 
> # net ads enctypes list hostname$
> 'hostname$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
> [X] 0x00000001 DES-CBC-CRC
> [X] 0x00000002 DES-CBC-MD5
> [X] 0x00000004 RC4-HMAC
> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
> 
> # samba-tool domain exportkeytab test --principal=hostname$
> 
> # klist -ke test
> Keytab name: FILE:test
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>     1 hostname$@EXAMPLE.COM (des-cbc-crc)
>     1 hostname$@EXAMPLE.COM (des-cbc-md5)
>     1 hostname$@EXAMPLE.COM (arcfour-hmac)
> 

If I 'kinit Administrator' before running your commands as root on a
DC, I get this:

klist -ke devstation.keytab 
Keytab name: FILE:devstation.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 devstation$@SAMDOM.EXAMPLE.COM (arcfour-hmac) 
   1 devstation$@SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) 
   1 devstation$@SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) 
   1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-md5) 
   1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-crc) 

Rowland

More information about the samba mailing list