[Samba] Exporting keytab for SPN failure

Achim Gottinger achim at ag-web.biz
Sat Sep 17 00:36:10 UTC 2016 


Am 17.09.2016 um 02:19 schrieb Achim Gottinger via samba:
>
>
> Am 17.09.2016 um 01:23 schrieb Robert Moulton:
>> Achim Gottinger via samba wrote on 9/16/16 4:14 PM:
>>>
>>>
>>> Am 17.09.2016 um 00:54 schrieb Achim Gottinger via samba:
>>>>
>>>>
>>>> Am 17.09.2016 um 00:29 schrieb Robert Moulton via samba:
>>>>> Achim Gottinger via samba wrote on 9/16/16 3:05 PM:
>>>>>>
>>>>>>
>>>>>> Am 16.09.2016 um 23:00 schrieb Robert Moulton via samba:
>>>>>>> Rowland Penny via samba wrote on 9/16/16 1:43 PM:
>>>>>>>> On Fri, 16 Sep 2016 13:00:52 -0700
>>>>>>>> Robert Moulton via samba <samba at lists.samba.org> wrote:
>>>>>>>>
>>>>>>>>> Achim Gottinger via samba wrote on 9/15/16 1:20 AM:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba:
>>>>>>>>>>> On Wed, 14 Sep 2016 16:23:27 -0500
>>>>>>>>>>> Michael A Weber via samba <samba at lists.samba.org> wrote:
>>>>>>>>>>>
>>>>>>>>>>>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger 
>>>>>>>>>>>>> <achim at ag-web.biz>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber:
>>>>>>>>>>>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger 
>>>>>>>>>>>>>>> <achim at ag-web.biz
>>>>>>>>>>>>>>> <mailto:achim at ag-web.biz>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber:
>>>>>>>>>>>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba
>>>>>>>>>>>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>>
>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>>>>>>>>>>>>>>>>>> Question though, just for my curiosity:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> The encryption algorithms specified after each SPN:  
>>>>>>>>>>>>>>>>>> I see
>>>>>>>>>>>>>>>>>> that aes-256 is listed when I export the user, but 
>>>>>>>>>>>>>>>>>> not the
>>>>>>>>>>>>>>>>>> SPN.  Are those expected, or have I done something wrong
>>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>>> used incorrect algorithms somewhere? I recall reading 
>>>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>>>> DES is not secure enough and that AES-256 (I think I 
>>>>>>>>>>>>>>>>>> read
>>>>>>>>>>>>>>>>>> this during TLS enablement) is what should be used.
>>>>>>>>>>>>>>>>> I get the same behaviour here. If i do nout use the 
>>>>>>>>>>>>>>>>> FQDN and
>>>>>>>>>>>>>>>>> only the hostname without the domain part the aes keys 
>>>>>>>>>>>>>>>>> are
>>>>>>>>>>>>>>>>> included. In your case --principal HTTP/intranet.
>>>>>>>>>>>>>>>> So, now I’m a little more confused. I’ve added the SPN to
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>> user without the realm part, which succeeds.  I listed 
>>>>>>>>>>>>>>>> it to
>>>>>>>>>>>>>>>> verify, and it’s there (sanitized here):
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> samba-tool spn list web-intranet-macmini
>>>>>>>>>>>>>>>> web-intranet-macmini
>>>>>>>>>>>>>>>> User
>>>>>>>>>>>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld 
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> has the following servicePrincipalName:
>>>>>>>>>>>>>>>> HTTP/intranet.domain2.domain1.tld
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Then, if I go to export the keytab as you have indicated
>>>>>>>>>>>>>>>> above
>>>>>>>>>>>>>>>> with —principal=HTTP/intranet it errors:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab
>>>>>>>>>>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught
>>>>>>>>>>>>>>>> exception -
>>>>>>>>>>>>>>>> Key table entry not found File
>>>>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", 
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> line 175, in _run return self.run(*args, **kwargs) File
>>>>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", 
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> line 129, in run net.export_keytab(keytab=keytab,
>>>>>>>>>>>>>>>> principal=principal)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Should that command work?  Or, was that for
>>>>>>>>>>>>>>>> demonstration/explanation purposes only? I’m assuming it
>>>>>>>>>>>>>>>> worked for you since you referenced my specific case.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I feel I’m missing something.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> The encryption methods used can be controlled with net 
>>>>>>>>>>>>>>>>> ads
>>>>>>>>>>>>>>>>> enctypes.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> If i run (after kinit Administrator)
>>>>>>>>>>>>>>>>> net ads enctypes list dc1$
>>>>>>>>>>>>>>>>> i get
>>>>>>>>>>>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 
>>>>>>>>>>>>>>>>> (0x0000001f)
>>>>>>>>>>>>>>>>> [X] 0x00000001 DES-CBC-CRC
>>>>>>>>>>>>>>>>> [X] 0x00000002 DES-CBC-MD5
>>>>>>>>>>>>>>>>> [X] 0x00000004 RC4-HMAC
>>>>>>>>>>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>>>>>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I get this as well.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> If i use
>>>>>>>>>>>>>>>>> net ads enctypes list dc1.domain.local$
>>>>>>>>>>>>>>>>> i get
>>>>>>>>>>>>>>>>> no account found with filter:
>>>>>>>>>>>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$))
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Again, I get this as well.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar
>>>>>>>>>>>>>>>>> algorythm and therefore does not find the account and 
>>>>>>>>>>>>>>>>> uses
>>>>>>>>>>>>>>>>> des and arcfour keys per default.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>> To unsubscribe from this list go to the following URL and
>>>>>>>>>>>>>>>>> read the instructions:
>>>>>>>>>>>>>>>>> https://lists.samba.org/mailman/options/samba
>>>>>>>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba>
>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Try this
>>>>>>>>>>>>>>> net ads enctypes set web-intranet-macmini 31
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Afterwards "domain export" will export also aes keys for 
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> SPN's.
>>>>>>>>>>>>>> And, this is why I addressed you as “experts” earlier.  
>>>>>>>>>>>>>> Indeed,
>>>>>>>>>>>>>> it did!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Now, I’m going to use ktutil to pull these into my existing
>>>>>>>>>>>>>> keytab on the destination machine and begin my testing.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thank you tremendously (although I think we may have created
>>>>>>>>>>>>>> hell for Rowland with the wiki documentation)!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> I was wondering about the missing aes keys for an while. So
>>>>>>>>>>>>> thanks for bringing it up on the list.
>>>>>>>>>>>>>
>>>>>>>>>>>>> If an user gets created the attribute
>>>>>>>>>>>>> msDS-SupportedEncryptionTypes remains undefined and in 
>>>>>>>>>>>>> this case
>>>>>>>>>>>>> only des and rc4 keys are exported.
>>>>>>>>>>>>>
>>>>>>>>>>>>> net ads enctypes set [hostname] [key value] can be used to
>>>>>>>>>>>>> define
>>>>>>>>>>>>> the valid keys for an accound (and it's spn's).
>>>>>>>>>>>>>
>>>>>>>>>>>>> The key value is repesented as
>>>>>>>>>>>>> 0x00000001 DES-CBC-CRC
>>>>>>>>>>>>> 0x00000002 DES-CBC-MD5
>>>>>>>>>>>>> 0x00000004 RC4-HMAC
>>>>>>>>>>>>> 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>>>>>>>> 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>>>>>>> (you mean, 0x00000016, for the last entry)
>>>>>>>>>>>>
>>>>>>>>>>>>> So using 31 enables all of them. samba-tool domain 
>>>>>>>>>>>>> exportkeytab
>>>>>>>>>>>>> does always export des and rc4 keys but honours 0x8 for 
>>>>>>>>>>>>> aes128
>>>>>>>>>>>>> and 0x10 for aes256. I assume if enctypes are set to 24 for
>>>>>>>>>>>>> example (only aes128/256) the server will honour this and
>>>>>>>>>>>>> decline des and rc4 attempts.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> That’s interesting, indeed.
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland—
>>>>>>>>>>>>
>>>>>>>>>>>> This whole thing seems to me like we are duplicating the
>>>>>>>>>>>> functionality of the ktpass command on a Windows AD. With that
>>>>>>>>>>>> command, one would need to include an encoding type, and 
>>>>>>>>>>>> I’m just
>>>>>>>>>>>> wondering if it should be included in the wiki pages as well
>>>>>>>>>>>> rather than trying to add it back manually after the export.
>>>>>>>>>>>> Also, something tells me that the ktpass command, when 
>>>>>>>>>>>> creating
>>>>>>>>>>>> the SPN for a user, also sets the required encoding type.
>>>>>>>>>>>>
>>>>>>>>>>>> Thoughts?
>>>>>>>>>>>>
>>>>>>>>>>>> Mike
>>>>>>>>>>> The problem is the command 'samba-tool spn add' does just 
>>>>>>>>>>> that, it
>>>>>>>>>>> only adds the 'servicePrincipalName', no enctypes are 
>>>>>>>>>>> mentioned.
>>>>>>>>>>>
>>>>>>>>>>> Exporting the keytab is the same, there is no mention of 
>>>>>>>>>>> enctypes
>>>>>>>>>>>
>>>>>>>>>>> So, until this changes, the wiki can only document what 
>>>>>>>>>>> actually
>>>>>>>>>>> happens.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>> Hello Rowland,
>>>>>>>>>>
>>>>>>>>>> As I wrote before you can use the command
>>>>>>>>>>
>>>>>>>>>> net ads enctypes set [username] 31
>>>>>>>>>>
>>>>>>>>>> to convince domain export to export also the aes keys for the 
>>>>>>>>>> SPN's
>>>>>>>>>> assigned to [username] like it is done for [username].
>>>>>>>>>> If only aes keys are wanted in the keytab file unwanted keys 
>>>>>>>>>> can be
>>>>>>>>>> removed from the keytab file with ktutil.
>>>>>>>>>>
>>>>>>>>>> See here for more info about "net ads enctypes"
>>>>>>>>>> https://www.mail-archive.com/cifs-protocol@lists.samba.org/msg00062.html. 
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> It controls which encryption types are used for ticket 
>>>>>>>>>> generation
>>>>>>>>>> on the server.
>>>>>>>>>>
>>>>>>>>>> achim~
>>>>>>>>>
>>>>>>>>> I've been trying to follow this thread but admit I'm still 
>>>>>>>>> missing
>>>>>>>>> something. Given the example below, what needs to be done to 
>>>>>>>>> get the
>>>>>>>>> aes keys in the keytab, exactly?
>>>>>>>>>
>>>>>>>>> # net ads enctypes list hostname$
>>>>>>>>> 'hostname$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
>>>>>>>>> [X] 0x00000001 DES-CBC-CRC
>>>>>>>>> [X] 0x00000002 DES-CBC-MD5
>>>>>>>>> [X] 0x00000004 RC4-HMAC
>>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>>>>
>>>>>>>>> # samba-tool domain exportkeytab test --principal=hostname$
>>>>>>>>>
>>>>>>>>> # klist -ke test
>>>>>>>>> Keytab name: FILE:test
>>>>>>>>> KVNO Principal
>>>>>>>>> ----
>>>>>>>>> -------------------------------------------------------------------------- 
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>     1 hostname$@EXAMPLE.COM (des-cbc-crc)
>>>>>>>>>     1 hostname$@EXAMPLE.COM (des-cbc-md5)
>>>>>>>>>     1 hostname$@EXAMPLE.COM (arcfour-hmac)
>>>>>>>>>
>>>>>>>>
>>>>>>>> If I 'kinit Administrator' before running your commands as root 
>>>>>>>> on a
>>>>>>>> DC, I get this:
>>>>>>>>
>>>>>>>> klist -ke devstation.keytab
>>>>>>>> Keytab name: FILE:devstation.keytab
>>>>>>>> KVNO Principal
>>>>>>>> ----
>>>>>>>> -------------------------------------------------------------------------- 
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>    1 devstation$@SAMDOM.EXAMPLE.COM (arcfour-hmac)
>>>>>>>>    1 devstation$@SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
>>>>>>>>    1 devstation$@SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
>>>>>>>>    1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-md5)
>>>>>>>>    1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-crc)
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>
>>>>>>> Yeah, sorry, I should have specified that I did exactly that -- 
>>>>>>> 'kinit
>>>>>>> Administrator' as root, on a DC -- followed by the sequence of
>>>>>>> commands I listed.
>>>>>>>
>>>>>>> Hm ... would domain/forest functional level matter? we've never
>>>>>>> bothered to raise ours from the default.
>>>>>>>
>>>>>> That's it. On my 4.2.10 server the domain and forest level was 2003
>>>>>> so i
>>>>>> raised it to 2008 R2. Tested with an user account and at first it
>>>>>> exported only des and rc4 keys. After setting the password for that
>>>>>> user
>>>>>> again (what rowland recommended in an other reply) it does now 
>>>>>> export
>>>>>> aes keys for that user. For an computer account you may have to 
>>>>>> rejoin
>>>>>> the computer to trigger the generation of an new password for that
>>>>>> account immediate.
>>>>>>
>>>>>
>>>>> Excellent, thanks. Indeed, it worked for me here, too, on a test
>>>>> domain. One final (I think/hope) question: How might I deal with
>>>>> password resets of the DC computer accounts themselves, to trigger
>>>>> the creation of their AES keys?
>>>>>
>>>> The password is changed every 30 days by default if you did not
>>>> disable it via gpo.
>>>> https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/ 
>>>>
>>>>
>>>> See here how to reset the computer account passwords manualy.
>>>>
>>> For the samba dc's you can use
>>>
>>> samba-tool user setpassword hostname$
>>
>> Heh, sheesh, embarrassing ... as easy as that.
>>
>> Thanks for your guidance! Rowland, thank you for chiming in as well!
> Hmm, can be this does mess up replication.
>
Yes it does mess up replication! Do not use setpassword for the samba 
host !!!
Glad I made an snapshot of my test vm before i tried it.
It worked for an windows 7 client hosever the LDAP and cifs tickets 
where using aes256.

More information about the samba mailing list