[Samba] Exporting keytab for SPN failure

Achim Gottinger achim at ag-web.biz
Sat Sep 17 00:19:37 UTC 2016 


Am 17.09.2016 um 01:23 schrieb Robert Moulton:
> Achim Gottinger via samba wrote on 9/16/16 4:14 PM:
>>
>>
>> Am 17.09.2016 um 00:54 schrieb Achim Gottinger via samba:
>>>
>>>
>>> Am 17.09.2016 um 00:29 schrieb Robert Moulton via samba:
>>>> Achim Gottinger via samba wrote on 9/16/16 3:05 PM:
>>>>>
>>>>>
>>>>> Am 16.09.2016 um 23:00 schrieb Robert Moulton via samba:
>>>>>> Rowland Penny via samba wrote on 9/16/16 1:43 PM:
>>>>>>> On Fri, 16 Sep 2016 13:00:52 -0700
>>>>>>> Robert Moulton via samba <samba at lists.samba.org> wrote:
>>>>>>>
>>>>>>>> Achim Gottinger via samba wrote on 9/15/16 1:20 AM:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba:
>>>>>>>>>> On Wed, 14 Sep 2016 16:23:27 -0500
>>>>>>>>>> Michael A Weber via samba <samba at lists.samba.org> wrote:
>>>>>>>>>>
>>>>>>>>>>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger 
>>>>>>>>>>>> <achim at ag-web.biz>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber:
>>>>>>>>>>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger 
>>>>>>>>>>>>>> <achim at ag-web.biz
>>>>>>>>>>>>>> <mailto:achim at ag-web.biz>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber:
>>>>>>>>>>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba
>>>>>>>>>>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>>
>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>>>>>>>>>>>>>>>>> Question though, just for my curiosity:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> The encryption algorithms specified after each SPN:  I 
>>>>>>>>>>>>>>>>> see
>>>>>>>>>>>>>>>>> that aes-256 is listed when I export the user, but not 
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> SPN.  Are those expected, or have I done something wrong
>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>> used incorrect algorithms somewhere? I recall reading 
>>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>>> DES is not secure enough and that AES-256 (I think I read
>>>>>>>>>>>>>>>>> this during TLS enablement) is what should be used.
>>>>>>>>>>>>>>>> I get the same behaviour here. If i do nout use the 
>>>>>>>>>>>>>>>> FQDN and
>>>>>>>>>>>>>>>> only the hostname without the domain part the aes keys are
>>>>>>>>>>>>>>>> included. In your case --principal HTTP/intranet.
>>>>>>>>>>>>>>> So, now I’m a little more confused. I’ve added the SPN to
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> user without the realm part, which succeeds.  I listed 
>>>>>>>>>>>>>>> it to
>>>>>>>>>>>>>>> verify, and it’s there (sanitized here):
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> samba-tool spn list web-intranet-macmini
>>>>>>>>>>>>>>> web-intranet-macmini
>>>>>>>>>>>>>>> User
>>>>>>>>>>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld 
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> has the following servicePrincipalName:
>>>>>>>>>>>>>>> HTTP/intranet.domain2.domain1.tld
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Then, if I go to export the keytab as you have indicated
>>>>>>>>>>>>>>> above
>>>>>>>>>>>>>>> with —principal=HTTP/intranet it errors:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab
>>>>>>>>>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught
>>>>>>>>>>>>>>> exception -
>>>>>>>>>>>>>>> Key table entry not found File
>>>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", 
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> line 175, in _run return self.run(*args, **kwargs) File
>>>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", 
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> line 129, in run net.export_keytab(keytab=keytab,
>>>>>>>>>>>>>>> principal=principal)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Should that command work?  Or, was that for
>>>>>>>>>>>>>>> demonstration/explanation purposes only? I’m assuming it
>>>>>>>>>>>>>>> worked for you since you referenced my specific case.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I feel I’m missing something.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> The encryption methods used can be controlled with net ads
>>>>>>>>>>>>>>>> enctypes.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> If i run (after kinit Administrator)
>>>>>>>>>>>>>>>> net ads enctypes list dc1$
>>>>>>>>>>>>>>>> i get
>>>>>>>>>>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 
>>>>>>>>>>>>>>>> (0x0000001f)
>>>>>>>>>>>>>>>> [X] 0x00000001 DES-CBC-CRC
>>>>>>>>>>>>>>>> [X] 0x00000002 DES-CBC-MD5
>>>>>>>>>>>>>>>> [X] 0x00000004 RC4-HMAC
>>>>>>>>>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>>>>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I get this as well.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> If i use
>>>>>>>>>>>>>>>> net ads enctypes list dc1.domain.local$
>>>>>>>>>>>>>>>> i get
>>>>>>>>>>>>>>>> no account found with filter:
>>>>>>>>>>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$))
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Again, I get this as well.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar
>>>>>>>>>>>>>>>> algorythm and therefore does not find the account and uses
>>>>>>>>>>>>>>>> des and arcfour keys per default.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>> To unsubscribe from this list go to the following URL and
>>>>>>>>>>>>>>>> read the instructions:
>>>>>>>>>>>>>>>> https://lists.samba.org/mailman/options/samba
>>>>>>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba>
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>> Try this
>>>>>>>>>>>>>> net ads enctypes set web-intranet-macmini 31
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Afterwards "domain export" will export also aes keys for the
>>>>>>>>>>>>>> SPN's.
>>>>>>>>>>>>> And, this is why I addressed you as “experts” earlier.  
>>>>>>>>>>>>> Indeed,
>>>>>>>>>>>>> it did!
>>>>>>>>>>>>>
>>>>>>>>>>>>> Now, I’m going to use ktutil to pull these into my existing
>>>>>>>>>>>>> keytab on the destination machine and begin my testing.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thank you tremendously (although I think we may have created
>>>>>>>>>>>>> hell for Rowland with the wiki documentation)!
>>>>>>>>>>>>>
>>>>>>>>>>>>> Mike
>>>>>>>>>>>> I was wondering about the missing aes keys for an while. So
>>>>>>>>>>>> thanks for bringing it up on the list.
>>>>>>>>>>>>
>>>>>>>>>>>> If an user gets created the attribute
>>>>>>>>>>>> msDS-SupportedEncryptionTypes remains undefined and in this 
>>>>>>>>>>>> case
>>>>>>>>>>>> only des and rc4 keys are exported.
>>>>>>>>>>>>
>>>>>>>>>>>> net ads enctypes set [hostname] [key value] can be used to
>>>>>>>>>>>> define
>>>>>>>>>>>> the valid keys for an accound (and it's spn's).
>>>>>>>>>>>>
>>>>>>>>>>>> The key value is repesented as
>>>>>>>>>>>> 0x00000001 DES-CBC-CRC
>>>>>>>>>>>> 0x00000002 DES-CBC-MD5
>>>>>>>>>>>> 0x00000004 RC4-HMAC
>>>>>>>>>>>> 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>>>>>>> 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>>>>>> (you mean, 0x00000016, for the last entry)
>>>>>>>>>>>
>>>>>>>>>>>> So using 31 enables all of them. samba-tool domain 
>>>>>>>>>>>> exportkeytab
>>>>>>>>>>>> does always export des and rc4 keys but honours 0x8 for aes128
>>>>>>>>>>>> and 0x10 for aes256. I assume if enctypes are set to 24 for
>>>>>>>>>>>> example (only aes128/256) the server will honour this and
>>>>>>>>>>>> decline des and rc4 attempts.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> That’s interesting, indeed.
>>>>>>>>>>>
>>>>>>>>>>> Rowland—
>>>>>>>>>>>
>>>>>>>>>>> This whole thing seems to me like we are duplicating the
>>>>>>>>>>> functionality of the ktpass command on a Windows AD. With that
>>>>>>>>>>> command, one would need to include an encoding type, and I’m 
>>>>>>>>>>> just
>>>>>>>>>>> wondering if it should be included in the wiki pages as well
>>>>>>>>>>> rather than trying to add it back manually after the export.
>>>>>>>>>>> Also, something tells me that the ktpass command, when creating
>>>>>>>>>>> the SPN for a user, also sets the required encoding type.
>>>>>>>>>>>
>>>>>>>>>>> Thoughts?
>>>>>>>>>>>
>>>>>>>>>>> Mike
>>>>>>>>>> The problem is the command 'samba-tool spn add' does just 
>>>>>>>>>> that, it
>>>>>>>>>> only adds the 'servicePrincipalName', no enctypes are mentioned.
>>>>>>>>>>
>>>>>>>>>> Exporting the keytab is the same, there is no mention of 
>>>>>>>>>> enctypes
>>>>>>>>>>
>>>>>>>>>> So, until this changes, the wiki can only document what actually
>>>>>>>>>> happens.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>> Hello Rowland,
>>>>>>>>>
>>>>>>>>> As I wrote before you can use the command
>>>>>>>>>
>>>>>>>>> net ads enctypes set [username] 31
>>>>>>>>>
>>>>>>>>> to convince domain export to export also the aes keys for the 
>>>>>>>>> SPN's
>>>>>>>>> assigned to [username] like it is done for [username].
>>>>>>>>> If only aes keys are wanted in the keytab file unwanted keys 
>>>>>>>>> can be
>>>>>>>>> removed from the keytab file with ktutil.
>>>>>>>>>
>>>>>>>>> See here for more info about "net ads enctypes"
>>>>>>>>> https://www.mail-archive.com/cifs-protocol@lists.samba.org/msg00062.html. 
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> It controls which encryption types are used for ticket generation
>>>>>>>>> on the server.
>>>>>>>>>
>>>>>>>>> achim~
>>>>>>>>
>>>>>>>> I've been trying to follow this thread but admit I'm still missing
>>>>>>>> something. Given the example below, what needs to be done to 
>>>>>>>> get the
>>>>>>>> aes keys in the keytab, exactly?
>>>>>>>>
>>>>>>>> # net ads enctypes list hostname$
>>>>>>>> 'hostname$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
>>>>>>>> [X] 0x00000001 DES-CBC-CRC
>>>>>>>> [X] 0x00000002 DES-CBC-MD5
>>>>>>>> [X] 0x00000004 RC4-HMAC
>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>>>
>>>>>>>> # samba-tool domain exportkeytab test --principal=hostname$
>>>>>>>>
>>>>>>>> # klist -ke test
>>>>>>>> Keytab name: FILE:test
>>>>>>>> KVNO Principal
>>>>>>>> ----
>>>>>>>> -------------------------------------------------------------------------- 
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>     1 hostname$@EXAMPLE.COM (des-cbc-crc)
>>>>>>>>     1 hostname$@EXAMPLE.COM (des-cbc-md5)
>>>>>>>>     1 hostname$@EXAMPLE.COM (arcfour-hmac)
>>>>>>>>
>>>>>>>
>>>>>>> If I 'kinit Administrator' before running your commands as root 
>>>>>>> on a
>>>>>>> DC, I get this:
>>>>>>>
>>>>>>> klist -ke devstation.keytab
>>>>>>> Keytab name: FILE:devstation.keytab
>>>>>>> KVNO Principal
>>>>>>> ----
>>>>>>> -------------------------------------------------------------------------- 
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>    1 devstation$@SAMDOM.EXAMPLE.COM (arcfour-hmac)
>>>>>>>    1 devstation$@SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
>>>>>>>    1 devstation$@SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
>>>>>>>    1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-md5)
>>>>>>>    1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-crc)
>>>>>>>
>>>>>>> Rowland
>>>>>>
>>>>>> Yeah, sorry, I should have specified that I did exactly that -- 
>>>>>> 'kinit
>>>>>> Administrator' as root, on a DC -- followed by the sequence of
>>>>>> commands I listed.
>>>>>>
>>>>>> Hm ... would domain/forest functional level matter? we've never
>>>>>> bothered to raise ours from the default.
>>>>>>
>>>>> That's it. On my 4.2.10 server the domain and forest level was 2003
>>>>> so i
>>>>> raised it to 2008 R2. Tested with an user account and at first it
>>>>> exported only des and rc4 keys. After setting the password for that
>>>>> user
>>>>> again (what rowland recommended in an other reply) it does now export
>>>>> aes keys for that user. For an computer account you may have to 
>>>>> rejoin
>>>>> the computer to trigger the generation of an new password for that
>>>>> account immediate.
>>>>>
>>>>
>>>> Excellent, thanks. Indeed, it worked for me here, too, on a test
>>>> domain. One final (I think/hope) question: How might I deal with
>>>> password resets of the DC computer accounts themselves, to trigger
>>>> the creation of their AES keys?
>>>>
>>> The password is changed every 30 days by default if you did not
>>> disable it via gpo.
>>> https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/ 
>>>
>>>
>>> See here how to reset the computer account passwords manualy.
>>>
>> For the samba dc's you can use
>>
>> samba-tool user setpassword hostname$
>
> Heh, sheesh, embarrassing ... as easy as that.
>
> Thanks for your guidance! Rowland, thank you for chiming in as well!
Hmm, can be this does mess up replication.

More information about the samba mailing list