[Samba] Exporting keytab for SPN failure

Achim Gottinger achim at ag-web.biz
Fri Sep 16 23:14:26 UTC 2016



Am 17.09.2016 um 00:54 schrieb Achim Gottinger via samba:
>
>
> Am 17.09.2016 um 00:29 schrieb Robert Moulton via samba:
>> Achim Gottinger via samba wrote on 9/16/16 3:05 PM:
>>>
>>>
>>> Am 16.09.2016 um 23:00 schrieb Robert Moulton via samba:
>>>> Rowland Penny via samba wrote on 9/16/16 1:43 PM:
>>>>> On Fri, 16 Sep 2016 13:00:52 -0700
>>>>> Robert Moulton via samba <samba at lists.samba.org> wrote:
>>>>>
>>>>>> Achim Gottinger via samba wrote on 9/15/16 1:20 AM:
>>>>>>>
>>>>>>>
>>>>>>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba:
>>>>>>>> On Wed, 14 Sep 2016 16:23:27 -0500
>>>>>>>> Michael A Weber via samba <samba at lists.samba.org> wrote:
>>>>>>>>
>>>>>>>>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger <achim at ag-web.biz>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber:
>>>>>>>>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger <achim at ag-web.biz
>>>>>>>>>>>> <mailto:achim at ag-web.biz>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber:
>>>>>>>>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba
>>>>>>>>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> 
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>>>>>>>>>>>>>>> Question though, just for my curiosity:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The encryption algorithms specified after each SPN:  I see
>>>>>>>>>>>>>>> that aes-256 is listed when I export the user, but not the
>>>>>>>>>>>>>>> SPN.  Are those expected, or have I done something wrong 
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> used incorrect algorithms somewhere? I recall reading that
>>>>>>>>>>>>>>> DES is not secure enough and that AES-256 (I think I read
>>>>>>>>>>>>>>> this during TLS enablement) is what should be used.
>>>>>>>>>>>>>> I get the same behaviour here. If i do nout use the FQDN and
>>>>>>>>>>>>>> only the hostname without the domain part the aes keys are
>>>>>>>>>>>>>> included. In your case --principal HTTP/intranet.
>>>>>>>>>>>>> So, now I’m a little more confused.  I’ve added the SPN to 
>>>>>>>>>>>>> the
>>>>>>>>>>>>> user without the realm part, which succeeds.  I listed it to
>>>>>>>>>>>>> verify, and it’s there (sanitized here):
>>>>>>>>>>>>>
>>>>>>>>>>>>> samba-tool spn list web-intranet-macmini
>>>>>>>>>>>>> web-intranet-macmini
>>>>>>>>>>>>> User
>>>>>>>>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld
>>>>>>>>>>>>> has the following servicePrincipalName:
>>>>>>>>>>>>> HTTP/intranet.domain2.domain1.tld
>>>>>>>>>>>>>
>>>>>>>>>>>>> Then, if I go to export the keytab as you have indicated 
>>>>>>>>>>>>> above
>>>>>>>>>>>>> with —principal=HTTP/intranet it errors:
>>>>>>>>>>>>>
>>>>>>>>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab
>>>>>>>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught 
>>>>>>>>>>>>> exception -
>>>>>>>>>>>>> Key table entry not found File
>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", 
>>>>>>>>>>>>>
>>>>>>>>>>>>> line 175, in _run return self.run(*args, **kwargs) File
>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
>>>>>>>>>>>>> line 129, in run net.export_keytab(keytab=keytab,
>>>>>>>>>>>>> principal=principal)
>>>>>>>>>>>>>
>>>>>>>>>>>>> Should that command work?  Or, was that for
>>>>>>>>>>>>> demonstration/explanation purposes only? I’m assuming it
>>>>>>>>>>>>> worked for you since you referenced my specific case.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I feel I’m missing something.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> The encryption methods used can be controlled with net ads
>>>>>>>>>>>>>> enctypes.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If i run (after kinit Administrator)
>>>>>>>>>>>>>> net ads enctypes list dc1$
>>>>>>>>>>>>>> i get
>>>>>>>>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
>>>>>>>>>>>>>> [X] 0x00000001 DES-CBC-CRC
>>>>>>>>>>>>>> [X] 0x00000002 DES-CBC-MD5
>>>>>>>>>>>>>> [X] 0x00000004 RC4-HMAC
>>>>>>>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>>>>>>>>>
>>>>>>>>>>>>> I get this as well.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> If i use
>>>>>>>>>>>>>> net ads enctypes list dc1.domain.local$
>>>>>>>>>>>>>> i get
>>>>>>>>>>>>>> no account found with filter:
>>>>>>>>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$))
>>>>>>>>>>>>>>
>>>>>>>>>>>>> Again, I get this as well.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar
>>>>>>>>>>>>>> algorythm and therefore does not find the account and uses
>>>>>>>>>>>>>> des and arcfour keys per default.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>> To unsubscribe from this list go to the following URL and
>>>>>>>>>>>>>> read the instructions:
>>>>>>>>>>>>>> https://lists.samba.org/mailman/options/samba
>>>>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba>
>>>>>>>>>>>>> Mike
>>>>>>>>>>>> Try this
>>>>>>>>>>>> net ads enctypes set web-intranet-macmini 31
>>>>>>>>>>>>
>>>>>>>>>>>> Afterwards "domain export" will export also aes keys for the
>>>>>>>>>>>> SPN's.
>>>>>>>>>>> And, this is why I addressed you as “experts” earlier.  Indeed,
>>>>>>>>>>> it did!
>>>>>>>>>>>
>>>>>>>>>>> Now, I’m going to use ktutil to pull these into my existing
>>>>>>>>>>> keytab on the destination machine and begin my testing.
>>>>>>>>>>>
>>>>>>>>>>> Thank you tremendously (although I think we may have created
>>>>>>>>>>> hell for Rowland with the wiki documentation)!
>>>>>>>>>>>
>>>>>>>>>>> Mike
>>>>>>>>>> I was wondering about the missing aes keys for an while. So
>>>>>>>>>> thanks for bringing it up on the list.
>>>>>>>>>>
>>>>>>>>>> If an user gets created the attribute
>>>>>>>>>> msDS-SupportedEncryptionTypes remains undefined and in this case
>>>>>>>>>> only des and rc4 keys are exported.
>>>>>>>>>>
>>>>>>>>>> net ads enctypes set [hostname] [key value] can be used to 
>>>>>>>>>> define
>>>>>>>>>> the valid keys for an accound (and it's spn's).
>>>>>>>>>>
>>>>>>>>>> The key value is repesented as
>>>>>>>>>> 0x00000001 DES-CBC-CRC
>>>>>>>>>> 0x00000002 DES-CBC-MD5
>>>>>>>>>> 0x00000004 RC4-HMAC
>>>>>>>>>> 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>>>>> 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>>>> (you mean, 0x00000016, for the last entry)
>>>>>>>>>
>>>>>>>>>> So using 31 enables all of them. samba-tool domain exportkeytab
>>>>>>>>>> does always export des and rc4 keys but honours 0x8 for aes128
>>>>>>>>>> and 0x10 for aes256. I assume if enctypes are set to 24 for
>>>>>>>>>> example (only aes128/256) the server will honour this and
>>>>>>>>>> decline des and rc4 attempts.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> That’s interesting, indeed.
>>>>>>>>>
>>>>>>>>> Rowland—
>>>>>>>>>
>>>>>>>>> This whole thing seems to me like we are duplicating the
>>>>>>>>> functionality of the ktpass command on a Windows AD. With that
>>>>>>>>> command, one would need to include an encoding type, and I’m just
>>>>>>>>> wondering if it should be included in the wiki pages as well
>>>>>>>>> rather than trying to add it back manually after the export.
>>>>>>>>> Also, something tells me that the ktpass command, when creating
>>>>>>>>> the SPN for a user, also sets the required encoding type.
>>>>>>>>>
>>>>>>>>> Thoughts?
>>>>>>>>>
>>>>>>>>> Mike
>>>>>>>> The problem is the command 'samba-tool spn add' does just that, it
>>>>>>>> only adds the 'servicePrincipalName', no enctypes are mentioned.
>>>>>>>>
>>>>>>>> Exporting the keytab is the same, there is no mention of enctypes
>>>>>>>>
>>>>>>>> So, until this changes, the wiki can only document what actually
>>>>>>>> happens.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>> Hello Rowland,
>>>>>>>
>>>>>>> As I wrote before you can use the command
>>>>>>>
>>>>>>> net ads enctypes set [username] 31
>>>>>>>
>>>>>>> to convince domain export to export also the aes keys for the SPN's
>>>>>>> assigned to [username] like it is done for [username].
>>>>>>> If only aes keys are wanted in the keytab file unwanted keys can be
>>>>>>> removed from the keytab file with ktutil.
>>>>>>>
>>>>>>> See here for more info about "net ads enctypes"
>>>>>>> https://www.mail-archive.com/cifs-protocol@lists.samba.org/msg00062.html. 
>>>>>>>
>>>>>>>
>>>>>>> It controls which encryption types are used for ticket generation
>>>>>>> on the server.
>>>>>>>
>>>>>>> achim~
>>>>>>
>>>>>> I've been trying to follow this thread but admit I'm still missing
>>>>>> something. Given the example below, what needs to be done to get the
>>>>>> aes keys in the keytab, exactly?
>>>>>>
>>>>>> # net ads enctypes list hostname$
>>>>>> 'hostname$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
>>>>>> [X] 0x00000001 DES-CBC-CRC
>>>>>> [X] 0x00000002 DES-CBC-MD5
>>>>>> [X] 0x00000004 RC4-HMAC
>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>
>>>>>> # samba-tool domain exportkeytab test --principal=hostname$
>>>>>>
>>>>>> # klist -ke test
>>>>>> Keytab name: FILE:test
>>>>>> KVNO Principal
>>>>>> ----
>>>>>> -------------------------------------------------------------------------- 
>>>>>>
>>>>>>
>>>>>>     1 hostname$@EXAMPLE.COM (des-cbc-crc)
>>>>>>     1 hostname$@EXAMPLE.COM (des-cbc-md5)
>>>>>>     1 hostname$@EXAMPLE.COM (arcfour-hmac)
>>>>>>
>>>>>
>>>>> If I 'kinit Administrator' before running your commands as root on a
>>>>> DC, I get this:
>>>>>
>>>>> klist -ke devstation.keytab
>>>>> Keytab name: FILE:devstation.keytab
>>>>> KVNO Principal
>>>>> ----
>>>>> -------------------------------------------------------------------------- 
>>>>>
>>>>>
>>>>>    1 devstation$@SAMDOM.EXAMPLE.COM (arcfour-hmac)
>>>>>    1 devstation$@SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
>>>>>    1 devstation$@SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
>>>>>    1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-md5)
>>>>>    1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-crc)
>>>>>
>>>>> Rowland
>>>>
>>>> Yeah, sorry, I should have specified that I did exactly that -- 'kinit
>>>> Administrator' as root, on a DC -- followed by the sequence of
>>>> commands I listed.
>>>>
>>>> Hm ... would domain/forest functional level matter? we've never
>>>> bothered to raise ours from the default.
>>>>
>>> That's it. On my 4.2.10 server the domain and forest level was 2003 
>>> so i
>>> raised it to 2008 R2. Tested with an user account and at first it
>>> exported only des and rc4 keys. After setting the password for that 
>>> user
>>> again (what rowland recommended in an other reply) it does now export
>>> aes keys for that user. For an computer account you may have to rejoin
>>> the computer to trigger the generation of an new password for that
>>> account immediate.
>>>
>>
>> Excellent, thanks. Indeed, it worked for me here, too, on a test 
>> domain. One final (I think/hope) question: How might I deal with 
>> password resets of the DC computer accounts themselves, to trigger 
>> the creation of their AES keys?
>>
> The password is changed every 30 days by default if you did not 
> disable it via gpo. 
> https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/
> See here how to reset the computer account passwords manualy.
>
For the samba dc's you can use

samba-tool user setpassword hostname$





More information about the samba mailing list