[Samba] Exporting keytab for SPN failure

Fri Sep 16 21:22:13 UTC 2016

Am 16.09.2016 um 23:06 schrieb Rowland Penny via samba:
> On Fri, 16 Sep 2016 23:02:20 +0200
> Achim Gottinger via samba <samba at lists.samba.org> wrote:
>
>>
>> Am 16.09.2016 um 22:49 schrieb Rowland Penny via samba:
>>> On Fri, 16 Sep 2016 22:43:42 +0200
>>> Achim Gottinger via samba <samba at lists.samba.org> wrote:
>>>
>>>> Am 16.09.2016 um 22:00 schrieb Robert Moulton via samba:
>>>>> Achim Gottinger via samba wrote on 9/15/16 1:20 AM:
>>>>>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba:
>>>>>>> On Wed, 14 Sep 2016 16:23:27 -0500
>>>>>>> Michael A Weber via samba <samba at lists.samba.org> wrote:
>>>>>>>
>>>>>>>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger
>>>>>>>>> <achim at ag-web.biz> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber:
>>>>>>>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger
>>>>>>>>>>> <achim at ag-web.biz <mailto:achim at ag-web.biz>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber:
>>>>>>>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba
>>>>>>>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>>>>>>>>>>>>>> Question though, just for my curiosity:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The encryption algorithms specified after each SPN:  I
>>>>>>>>>>>>>> see that aes-256 is listed when I export the user, but
>>>>>>>>>>>>>> not the SPN.  Are those expected, or have I done
>>>>>>>>>>>>>> something wrong and used incorrect algorithms
>>>>>>>>>>>>>> somewhere?  I recall reading that DES is not secure
>>>>>>>>>>>>>> enough and that AES-256 (I think I read this during TLS
>>>>>>>>>>>>>> enablement) is what should be used.
>>>>>>>>>>>>> I get the same behaviour here. If i do nout use the FQDN
>>>>>>>>>>>>> and only the hostname without the domain part the aes
>>>>>>>>>>>>> keys are included. In your case --principal HTTP/intranet.
>>>>>>>>>>>> So, now I’m a little more confused.  I’ve added the SPN to
>>>>>>>>>>>> the user without the realm part, which succeeds.  I listed
>>>>>>>>>>>> it to verify, and it’s there (sanitized here):
>>>>>>>>>>>>
>>>>>>>>>>>> samba-tool spn list web-intranet-macmini
>>>>>>>>>>>> web-intranet-macmini
>>>>>>>>>>>> User
>>>>>>>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld
>>>>>>>>>>>> has the following servicePrincipalName:
>>>>>>>>>>>> HTTP/intranet.domain2.domain1.tld
>>>>>>>>>>>>
>>>>>>>>>>>> Then, if I go to export the keytab as you have indicated
>>>>>>>>>>>> above with —principal=HTTP/intranet it errors:
>>>>>>>>>>>>
>>>>>>>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab
>>>>>>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught
>>>>>>>>>>>> exception
>>>>>>>>>>>> - Key table entry not found File
>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>>>>>>>>>>>> line 175, in _run return self.run(*args, **kwargs) File
>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
>>>>>>>>>>>> line 129, in run net.export_keytab(keytab=keytab,
>>>>>>>>>>>> principal=principal)
>>>>>>>>>>>>
>>>>>>>>>>>> Should that command work?  Or, was that for
>>>>>>>>>>>> demonstration/explanation purposes only?  I’m assuming it
>>>>>>>>>>>> worked for you since you referenced my specific case.
>>>>>>>>>>>>
>>>>>>>>>>>> I feel I’m missing something.
>>>>>>>>>>>>
>>>>>>>>>>>>> The encryption methods used can be controlled with net ads
>>>>>>>>>>>>> enctypes.
>>>>>>>>>>>>>
>>>>>>>>>>>>> If i run (after kinit Administrator)
>>>>>>>>>>>>> net ads enctypes list dc1$
>>>>>>>>>>>>> i get
>>>>>>>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31
>>>>>>>>>>>>> (0x0000001f) [X] 0x00000001 DES-CBC-CRC
>>>>>>>>>>>>> [X] 0x00000002 DES-CBC-MD5
>>>>>>>>>>>>> [X] 0x00000004 RC4-HMAC
>>>>>>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>>>>>>>>
>>>>>>>>>>>> I get this as well.
>>>>>>>>>>>>
>>>>>>>>>>>>> If i use
>>>>>>>>>>>>> net ads enctypes list dc1.domain.local$
>>>>>>>>>>>>> i get
>>>>>>>>>>>>> no account found with filter:
>>>>>>>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$))
>>>>>>>>>>>>>
>>>>>>>>>>>> Again, I get this as well.
>>>>>>>>>>>>
>>>>>>>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar
>>>>>>>>>>>>> algorythm and therefore does not find the account and uses
>>>>>>>>>>>>> des and arcfour keys per default.
>>>>>>>>>>>>>
>>>>>>>>>>>>> -- 
>>>>>>>>>>>>> To unsubscribe from this list go to the following URL and
>>>>>>>>>>>>> read the instructions:
>>>>>>>>>>>>> https://lists.samba.org/mailman/options/samba
>>>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba>
>>>>>>>>>>>> Mike
>>>>>>>>>>> Try this
>>>>>>>>>>> net ads enctypes set web-intranet-macmini 31
>>>>>>>>>>>
>>>>>>>>>>> Afterwards "domain export" will export also aes keys for the
>>>>>>>>>>> SPN's.
>>>>>>>>>> And, this is why I addressed you as “experts” earlier.
>>>>>>>>>> Indeed, it did!
>>>>>>>>>>
>>>>>>>>>> Now, I’m going to use ktutil to pull these into my existing
>>>>>>>>>> keytab on the destination machine and begin my testing.
>>>>>>>>>>
>>>>>>>>>> Thank you tremendously (although I think we may have created
>>>>>>>>>> hell for Rowland with the wiki documentation)!
>>>>>>>>>>
>>>>>>>>>> Mike
>>>>>>>>> I was wondering about the missing aes keys for an while. So
>>>>>>>>> thanks for bringing it up on the list.
>>>>>>>>>
>>>>>>>>> If an user gets created the attribute
>>>>>>>>> msDS-SupportedEncryptionTypes remains undefined and in this
>>>>>>>>> case only des and rc4 keys are exported.
>>>>>>>>>
>>>>>>>>> net ads enctypes set [hostname] [key value] can be used to
>>>>>>>>> define the valid keys for an accound (and it's spn's).
>>>>>>>>>
>>>>>>>>> The key value is repesented as
>>>>>>>>> 0x00000001 DES-CBC-CRC
>>>>>>>>> 0x00000002 DES-CBC-MD5
>>>>>>>>> 0x00000004 RC4-HMAC
>>>>>>>>> 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>>>> 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>>> (you mean, 0x00000016, for the last entry)
>>>>>>>>
>>>>>>>>> So using 31 enables all of them. samba-tool domain
>>>>>>>>> exportkeytab does always export des and rc4 keys but honours
>>>>>>>>> 0x8 for aes128 and 0x10 for aes256. I assume if enctypes are
>>>>>>>>> set to 24 for example (only aes128/256) the server will
>>>>>>>>> honour this and decline des and rc4 attempts.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> That’s interesting, indeed.
>>>>>>>>
>>>>>>>> Rowland—
>>>>>>>>
>>>>>>>> This whole thing seems to me like we are duplicating the
>>>>>>>> functionality of the ktpass command on a Windows AD.  With that
>>>>>>>> command, one would need to include an encoding type, and I’m
>>>>>>>> just wondering if it should be included in the wiki pages as
>>>>>>>> well rather than trying to add it back manually after the
>>>>>>>> export. Also, something tells me that the ktpass command, when
>>>>>>>> creating the SPN for a user, also sets the required encoding
>>>>>>>> type.
>>>>>>>>
>>>>>>>> Thoughts?
>>>>>>>>
>>>>>>>> Mike
>>>>>>> The problem is the command 'samba-tool spn add' does just that,
>>>>>>> it only adds the 'servicePrincipalName', no enctypes are
>>>>>>> mentioned.
>>>>>>>
>>>>>>> Exporting the keytab is the same, there is no mention of
>>>>>>> enctypes
>>>>>>>
>>>>>>> So, until this changes, the wiki can only document what actually
>>>>>>> happens.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> Hello Rowland,
>>>>>>
>>>>>> As I wrote before you can use the command
>>>>>>
>>>>>> net ads enctypes set [username] 31
>>>>>>
>>>>>> to convince domain export to export also the aes keys for the
>>>>>> SPN's assigned to [username] like it is done for [username].
>>>>>> If only aes keys are wanted in the keytab file unwanted keys can
>>>>>> be removed from the keytab file with ktutil.
>>>>>>
>>>>>> See here for more info about "net ads enctypes"
>>>>>> https://www.mail-archive.com/cifs-protocol@lists.samba.org/msg00062.html.
>>>>>>
>>>>>> It controls which encryption types are used for ticket generation
>>>>>> on the server.
>>>>>>
>>>>>> achim~
>>>>> I've been trying to follow this thread but admit I'm still missing
>>>>> something. Given the example below, what needs to be done to get
>>>>> the aes keys in the keytab, exactly?
>>>>>
>>>>> # net ads enctypes list hostname$
>>>>> 'hostname$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
>>>>> [X] 0x00000001 DES-CBC-CRC
>>>>> [X] 0x00000002 DES-CBC-MD5
>>>>> [X] 0x00000004 RC4-HMAC
>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>
>>>>> # samba-tool domain exportkeytab test --principal=hostname$
>>>>>
>>>>> # klist -ke test
>>>>> Keytab name: FILE:test
>>>>> KVNO Principal
>>>>> ----
>>>>> --------------------------------------------------------------------------
>>>>>      1 hostname$@EXAMPLE.COM (des-cbc-crc)
>>>>>      1 hostname$@EXAMPLE.COM (des-cbc-md5)
>>>>>      1 hostname$@EXAMPLE.COM (arcfour-hmac)
>>>>>
>>>> What version of samba are you using? For my tests i used 4.4.5.
>>>> "net enctypes" was added wth version 4.2.10.
>>>> Setting enctypes was only necessary here for aes keys with spn's as
>>>> principals. upn's/usernames always export the aes keys here.
>>>>
>>> Good point, but a computer only has SPNs
>>>
>>> Rowland
>>>
>>>
>> In above test the hostname/username was used as principal. You are
>> right the userPrincipalName attribute is not used for computer
>> accounts. Still it is possible to export an keytab for the hostname.
>>
> Yes 'hostname' was used, but if you look carefully, there is a '$' on
> the end, this make is definitely a computer.
>
> Rowland
>
It's getting abit of topic doesnt it?
Of course by using the word hostname i talk about an computer account. :-)
User and Computer account both use the objectClass user the 
userPrincipalName attribute belongs to that class so in theory even an 
computer account may have an upn (aka userPrincipalName) defined.

It's odd that the aes keys are not exported for robert, however. Maybe 
he's on gentoo and affected by it's system heimdal issues.