[Samba] Exporting keytab for SPN failure

Robert Moulton rmoulton at uw.edu
Fri Sep 16 21:33:01 UTC 2016 

Achim Gottinger via samba wrote on 9/16/16 2:15 PM:
>
>
> Am 16.09.2016 um 22:54 schrieb Robert Moulton via samba:
>> Achim Gottinger via samba wrote on 9/16/16 1:43 PM:
>>>
>>>
>>> Am 16.09.2016 um 22:00 schrieb Robert Moulton via samba:
>>>> Achim Gottinger via samba wrote on 9/15/16 1:20 AM:
>>>>>
>>>>>
>>>>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba:
>>>>>> On Wed, 14 Sep 2016 16:23:27 -0500
>>>>>> Michael A Weber via samba <samba at lists.samba.org> wrote:
>>>>>>
>>>>>>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger <achim at ag-web.biz>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber:
>>>>>>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger <achim at ag-web.biz
>>>>>>>>>> <mailto:achim at ag-web.biz>> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber:
>>>>>>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba
>>>>>>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>>>>>>>>>>>>> Question though, just for my curiosity:
>>>>>>>>>>>>>
>>>>>>>>>>>>> The encryption algorithms specified after each SPN:  I see
>>>>>>>>>>>>> that aes-256 is listed when I export the user, but not the
>>>>>>>>>>>>> SPN.  Are those expected, or have I done something wrong and
>>>>>>>>>>>>> used incorrect algorithms somewhere?  I recall reading that
>>>>>>>>>>>>> DES is not secure enough and that AES-256 (I think I read this
>>>>>>>>>>>>> during TLS enablement) is what should be used.
>>>>>>>>>>>> I get the same behaviour here. If i do nout use the FQDN and
>>>>>>>>>>>> only the hostname without the domain part the aes keys are
>>>>>>>>>>>> included. In your case --principal HTTP/intranet.
>>>>>>>>>>> So, now I’m a little more confused.  I’ve added the SPN to the
>>>>>>>>>>> user without the realm part, which succeeds.  I listed it to
>>>>>>>>>>> verify, and it’s there (sanitized here):
>>>>>>>>>>>
>>>>>>>>>>> samba-tool spn list web-intranet-macmini
>>>>>>>>>>> web-intranet-macmini
>>>>>>>>>>> User
>>>>>>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld
>>>>>>>>>>> has the following servicePrincipalName:
>>>>>>>>>>> HTTP/intranet.domain2.domain1.tld
>>>>>>>>>>>
>>>>>>>>>>> Then, if I go to export the keytab as you have indicated above
>>>>>>>>>>> with —principal=HTTP/intranet it errors:
>>>>>>>>>>>
>>>>>>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab
>>>>>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught exception -
>>>>>>>>>>> Key table entry not found File
>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>>>>>>>>>>> line 175, in _run return self.run(*args, **kwargs) File
>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
>>>>>>>>>>> line 129, in run net.export_keytab(keytab=keytab,
>>>>>>>>>>> principal=principal)
>>>>>>>>>>>
>>>>>>>>>>> Should that command work?  Or, was that for
>>>>>>>>>>> demonstration/explanation purposes only?  I’m assuming it worked
>>>>>>>>>>> for you since you referenced my specific case.
>>>>>>>>>>>
>>>>>>>>>>> I feel I’m missing something.
>>>>>>>>>>>
>>>>>>>>>>>> The encryption methods used can be controlled with net ads
>>>>>>>>>>>> enctypes.
>>>>>>>>>>>>
>>>>>>>>>>>> If i run (after kinit Administrator)
>>>>>>>>>>>> net ads enctypes list dc1$
>>>>>>>>>>>> i get
>>>>>>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
>>>>>>>>>>>> [X] 0x00000001 DES-CBC-CRC
>>>>>>>>>>>> [X] 0x00000002 DES-CBC-MD5
>>>>>>>>>>>> [X] 0x00000004 RC4-HMAC
>>>>>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>>>>>>>
>>>>>>>>>>> I get this as well.
>>>>>>>>>>>
>>>>>>>>>>>> If i use
>>>>>>>>>>>> net ads enctypes list dc1.domain.local$
>>>>>>>>>>>> i get
>>>>>>>>>>>> no account found with filter:
>>>>>>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$))
>>>>>>>>>>>>
>>>>>>>>>>> Again, I get this as well.
>>>>>>>>>>>
>>>>>>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar
>>>>>>>>>>>> algorythm and therefore does not find the account and uses des
>>>>>>>>>>>> and arcfour keys per default.
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> To unsubscribe from this list go to the following URL and read
>>>>>>>>>>>> the instructions:
>>>>>>>>>>>> https://lists.samba.org/mailman/options/samba
>>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba>
>>>>>>>>>>> Mike
>>>>>>>>>> Try this
>>>>>>>>>> net ads enctypes set web-intranet-macmini 31
>>>>>>>>>>
>>>>>>>>>> Afterwards "domain export" will export also aes keys for the
>>>>>>>>>> SPN's.
>>>>>>>>> And, this is why I addressed you as “experts” earlier. Indeed, it
>>>>>>>>> did!
>>>>>>>>>
>>>>>>>>> Now, I’m going to use ktutil to pull these into my existing keytab
>>>>>>>>> on the destination machine and begin my testing.
>>>>>>>>>
>>>>>>>>> Thank you tremendously (although I think we may have created hell
>>>>>>>>> for Rowland with the wiki documentation)!
>>>>>>>>>
>>>>>>>>> Mike
>>>>>>>> I was wondering about the missing aes keys for an while. So thanks
>>>>>>>> for bringing it up on the list.
>>>>>>>>
>>>>>>>> If an user gets created the attribute msDS-SupportedEncryptionTypes
>>>>>>>> remains undefined and in this case only des and rc4 keys are
>>>>>>>> exported.
>>>>>>>>
>>>>>>>> net ads enctypes set [hostname] [key value] can be used to define
>>>>>>>> the valid keys for an accound (and it's spn's).
>>>>>>>>
>>>>>>>> The key value is repesented as
>>>>>>>> 0x00000001 DES-CBC-CRC
>>>>>>>> 0x00000002 DES-CBC-MD5
>>>>>>>> 0x00000004 RC4-HMAC
>>>>>>>> 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>>> 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>> (you mean, 0x00000016, for the last entry)
>>>>>>>
>>>>>>>> So using 31 enables all of them. samba-tool domain exportkeytab
>>>>>>>> does always export des and rc4 keys but honours 0x8 for aes128 and
>>>>>>>> 0x10 for aes256. I assume if enctypes are set to 24 for example
>>>>>>>> (only aes128/256) the server will honour this and decline des and
>>>>>>>> rc4 attempts.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> That’s interesting, indeed.
>>>>>>>
>>>>>>> Rowland—
>>>>>>>
>>>>>>> This whole thing seems to me like we are duplicating the
>>>>>>> functionality of the ktpass command on a Windows AD. With that
>>>>>>> command, one would need to include an encoding type, and I’m just
>>>>>>> wondering if it should be included in the wiki pages as well rather
>>>>>>> than trying to add it back manually after the export. Also,
>>>>>>> something tells me that the ktpass command, when creating the SPN
>>>>>>> for
>>>>>>> a user, also sets the required encoding type.
>>>>>>>
>>>>>>> Thoughts?
>>>>>>>
>>>>>>> Mike
>>>>>> The problem is the command 'samba-tool spn add' does just that, it
>>>>>> only
>>>>>> adds the 'servicePrincipalName', no enctypes are mentioned.
>>>>>>
>>>>>> Exporting the keytab is the same, there is no mention of enctypes
>>>>>>
>>>>>> So, until this changes, the wiki can only document what actually
>>>>>> happens.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> Hello Rowland,
>>>>>
>>>>> As I wrote before you can use the command
>>>>>
>>>>> net ads enctypes set [username] 31
>>>>>
>>>>> to convince domain export to export also the aes keys for the SPN's
>>>>> assigned to [username] like it is done for [username].
>>>>> If only aes keys are wanted in the keytab file unwanted keys can be
>>>>> removed from the keytab file with ktutil.
>>>>>
>>>>> See here for more info about "net ads enctypes"
>>>>> https://www.mail-archive.com/cifs-protocol@lists.samba.org/msg00062.html.
>>>>>
>>>>>
>>>>> It controls which encryption types are used for ticket generation
>>>>> on the
>>>>> server.
>>>>>
>>>>> achim~
>>>>
>>>> I've been trying to follow this thread but admit I'm still missing
>>>> something. Given the example below, what needs to be done to get the
>>>> aes keys in the keytab, exactly?
>>>>
>>>> # net ads enctypes list hostname$
>>>> 'hostname$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
>>>> [X] 0x00000001 DES-CBC-CRC
>>>> [X] 0x00000002 DES-CBC-MD5
>>>> [X] 0x00000004 RC4-HMAC
>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>
>>>> # samba-tool domain exportkeytab test --principal=hostname$
>>>>
>>>> # klist -ke test
>>>> Keytab name: FILE:test
>>>> KVNO Principal
>>>> ----
>>>> --------------------------------------------------------------------------
>>>>
>>>>
>>>>    1 hostname$@EXAMPLE.COM (des-cbc-crc)
>>>>    1 hostname$@EXAMPLE.COM (des-cbc-md5)
>>>>    1 hostname$@EXAMPLE.COM (arcfour-hmac)
>>>>
>>> What version of samba are you using? For my tests i used 4.4.5. "net
>>> enctypes" was added wth version 4.2.10.
>>> Setting enctypes was only necessary here for aes keys with spn's as
>>> principals. upn's/usernames always export the aes keys here.
>>>
>>
>> 4.4.5 here, too.
>>
>> # samba -V
>> Version 4.4.5
>>
> Odd, it just works here with 4.4.5 also for hostnames even with aes
> disabled in enctypes all five keys are generated.
> What os are you using and how did you install samba?
>

CentOS 6.8, Samba 4.4.5 compiled from source, installed to update the 
original Samba 4.3.3, also compiled from source.

It's particularly interesting (to me, at least) because the CentOS 
'adcli' utility, when used to join a system to this same domain, creates 
a keytab which *does* include the aes keys. But if I subsequently use 
samba-tool to create a keytab for that host, those aes keys are still 
absent.

More information about the samba mailing list