[Samba] Exporting keytab for SPN failure
Achim Gottinger
achim at ag-web.biz
Sat Sep 17 01:08:45 UTC 2016
Am 17.09.2016 um 02:36 schrieb Achim Gottinger via samba:
>
>
> Am 17.09.2016 um 02:19 schrieb Achim Gottinger via samba:
>>
>>
>> Am 17.09.2016 um 01:23 schrieb Robert Moulton:
>>> Achim Gottinger via samba wrote on 9/16/16 4:14 PM:
>>>>
>>>>
>>>> Am 17.09.2016 um 00:54 schrieb Achim Gottinger via samba:
>>>>>
>>>>>
>>>>> Am 17.09.2016 um 00:29 schrieb Robert Moulton via samba:
>>>>>> Achim Gottinger via samba wrote on 9/16/16 3:05 PM:
>>>>>>>
>>>>>>>
>>>>>>> Am 16.09.2016 um 23:00 schrieb Robert Moulton via samba:
>>>>>>>> Rowland Penny via samba wrote on 9/16/16 1:43 PM:
>>>>>>>>> On Fri, 16 Sep 2016 13:00:52 -0700
>>>>>>>>> Robert Moulton via samba <samba at lists.samba.org> wrote:
>>>>>>>>>
>>>>>>>>>> Achim Gottinger via samba wrote on 9/15/16 1:20 AM:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba:
>>>>>>>>>>>> On Wed, 14 Sep 2016 16:23:27 -0500
>>>>>>>>>>>> Michael A Weber via samba <samba at lists.samba.org> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger
>>>>>>>>>>>>>> <achim at ag-web.biz>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber:
>>>>>>>>>>>>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger
>>>>>>>>>>>>>>>> <achim at ag-web.biz
>>>>>>>>>>>>>>>> <mailto:achim at ag-web.biz>> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber:
>>>>>>>>>>>>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba
>>>>>>>>>>>>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>>
>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>>>>>>>>>>>>>>>>>>> Question though, just for my curiosity:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> The encryption algorithms specified after each SPN:
>>>>>>>>>>>>>>>>>>> I see
>>>>>>>>>>>>>>>>>>> that aes-256 is listed when I export the user, but
>>>>>>>>>>>>>>>>>>> not the
>>>>>>>>>>>>>>>>>>> SPN. Are those expected, or have I done something
>>>>>>>>>>>>>>>>>>> wrong
>>>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>>>> used incorrect algorithms somewhere? I recall
>>>>>>>>>>>>>>>>>>> reading that
>>>>>>>>>>>>>>>>>>> DES is not secure enough and that AES-256 (I think I
>>>>>>>>>>>>>>>>>>> read
>>>>>>>>>>>>>>>>>>> this during TLS enablement) is what should be used.
>>>>>>>>>>>>>>>>>> I get the same behaviour here. If i do nout use the
>>>>>>>>>>>>>>>>>> FQDN and
>>>>>>>>>>>>>>>>>> only the hostname without the domain part the aes
>>>>>>>>>>>>>>>>>> keys are
>>>>>>>>>>>>>>>>>> included. In your case --principal HTTP/intranet.
>>>>>>>>>>>>>>>>> So, now I’m a little more confused. I’ve added the SPN to
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> user without the realm part, which succeeds. I listed
>>>>>>>>>>>>>>>>> it to
>>>>>>>>>>>>>>>>> verify, and it’s there (sanitized here):
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> samba-tool spn list web-intranet-macmini
>>>>>>>>>>>>>>>>> web-intranet-macmini
>>>>>>>>>>>>>>>>> User
>>>>>>>>>>>>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> has the following servicePrincipalName:
>>>>>>>>>>>>>>>>> HTTP/intranet.domain2.domain1.tld
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Then, if I go to export the keytab as you have indicated
>>>>>>>>>>>>>>>>> above
>>>>>>>>>>>>>>>>> with —principal=HTTP/intranet it errors:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab
>>>>>>>>>>>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught
>>>>>>>>>>>>>>>>> exception -
>>>>>>>>>>>>>>>>> Key table entry not found File
>>>>>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> line 175, in _run return self.run(*args, **kwargs) File
>>>>>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> line 129, in run net.export_keytab(keytab=keytab,
>>>>>>>>>>>>>>>>> principal=principal)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Should that command work? Or, was that for
>>>>>>>>>>>>>>>>> demonstration/explanation purposes only? I’m assuming it
>>>>>>>>>>>>>>>>> worked for you since you referenced my specific case.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I feel I’m missing something.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> The encryption methods used can be controlled with
>>>>>>>>>>>>>>>>>> net ads
>>>>>>>>>>>>>>>>>> enctypes.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> If i run (after kinit Administrator)
>>>>>>>>>>>>>>>>>> net ads enctypes list dc1$
>>>>>>>>>>>>>>>>>> i get
>>>>>>>>>>>>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31
>>>>>>>>>>>>>>>>>> (0x0000001f)
>>>>>>>>>>>>>>>>>> [X] 0x00000001 DES-CBC-CRC
>>>>>>>>>>>>>>>>>> [X] 0x00000002 DES-CBC-MD5
>>>>>>>>>>>>>>>>>> [X] 0x00000004 RC4-HMAC
>>>>>>>>>>>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>>>>>>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I get this as well.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> If i use
>>>>>>>>>>>>>>>>>> net ads enctypes list dc1.domain.local$
>>>>>>>>>>>>>>>>>> i get
>>>>>>>>>>>>>>>>>> no account found with filter:
>>>>>>>>>>>>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$))
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Again, I get this as well.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar
>>>>>>>>>>>>>>>>>> algorythm and therefore does not find the account and
>>>>>>>>>>>>>>>>>> uses
>>>>>>>>>>>>>>>>>> des and arcfour keys per default.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> To unsubscribe from this list go to the following URL
>>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>>> read the instructions:
>>>>>>>>>>>>>>>>>> https://lists.samba.org/mailman/options/samba
>>>>>>>>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba>
>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>> Try this
>>>>>>>>>>>>>>>> net ads enctypes set web-intranet-macmini 31
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Afterwards "domain export" will export also aes keys
>>>>>>>>>>>>>>>> for the
>>>>>>>>>>>>>>>> SPN's.
>>>>>>>>>>>>>>> And, this is why I addressed you as “experts” earlier.
>>>>>>>>>>>>>>> Indeed,
>>>>>>>>>>>>>>> it did!
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Now, I’m going to use ktutil to pull these into my existing
>>>>>>>>>>>>>>> keytab on the destination machine and begin my testing.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thank you tremendously (although I think we may have
>>>>>>>>>>>>>>> created
>>>>>>>>>>>>>>> hell for Rowland with the wiki documentation)!
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>> I was wondering about the missing aes keys for an while. So
>>>>>>>>>>>>>> thanks for bringing it up on the list.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If an user gets created the attribute
>>>>>>>>>>>>>> msDS-SupportedEncryptionTypes remains undefined and in
>>>>>>>>>>>>>> this case
>>>>>>>>>>>>>> only des and rc4 keys are exported.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> net ads enctypes set [hostname] [key value] can be used to
>>>>>>>>>>>>>> define
>>>>>>>>>>>>>> the valid keys for an accound (and it's spn's).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The key value is repesented as
>>>>>>>>>>>>>> 0x00000001 DES-CBC-CRC
>>>>>>>>>>>>>> 0x00000002 DES-CBC-MD5
>>>>>>>>>>>>>> 0x00000004 RC4-HMAC
>>>>>>>>>>>>>> 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>>>>>>>>> 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>>>>>>>> (you mean, 0x00000016, for the last entry)
>>>>>>>>>>>>>
>>>>>>>>>>>>>> So using 31 enables all of them. samba-tool domain
>>>>>>>>>>>>>> exportkeytab
>>>>>>>>>>>>>> does always export des and rc4 keys but honours 0x8 for
>>>>>>>>>>>>>> aes128
>>>>>>>>>>>>>> and 0x10 for aes256. I assume if enctypes are set to 24 for
>>>>>>>>>>>>>> example (only aes128/256) the server will honour this and
>>>>>>>>>>>>>> decline des and rc4 attempts.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> That’s interesting, indeed.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland—
>>>>>>>>>>>>>
>>>>>>>>>>>>> This whole thing seems to me like we are duplicating the
>>>>>>>>>>>>> functionality of the ktpass command on a Windows AD. With
>>>>>>>>>>>>> that
>>>>>>>>>>>>> command, one would need to include an encoding type, and
>>>>>>>>>>>>> I’m just
>>>>>>>>>>>>> wondering if it should be included in the wiki pages as well
>>>>>>>>>>>>> rather than trying to add it back manually after the export.
>>>>>>>>>>>>> Also, something tells me that the ktpass command, when
>>>>>>>>>>>>> creating
>>>>>>>>>>>>> the SPN for a user, also sets the required encoding type.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thoughts?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Mike
>>>>>>>>>>>> The problem is the command 'samba-tool spn add' does just
>>>>>>>>>>>> that, it
>>>>>>>>>>>> only adds the 'servicePrincipalName', no enctypes are
>>>>>>>>>>>> mentioned.
>>>>>>>>>>>>
>>>>>>>>>>>> Exporting the keytab is the same, there is no mention of
>>>>>>>>>>>> enctypes
>>>>>>>>>>>>
>>>>>>>>>>>> So, until this changes, the wiki can only document what
>>>>>>>>>>>> actually
>>>>>>>>>>>> happens.
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>> Hello Rowland,
>>>>>>>>>>>
>>>>>>>>>>> As I wrote before you can use the command
>>>>>>>>>>>
>>>>>>>>>>> net ads enctypes set [username] 31
>>>>>>>>>>>
>>>>>>>>>>> to convince domain export to export also the aes keys for
>>>>>>>>>>> the SPN's
>>>>>>>>>>> assigned to [username] like it is done for [username].
>>>>>>>>>>> If only aes keys are wanted in the keytab file unwanted keys
>>>>>>>>>>> can be
>>>>>>>>>>> removed from the keytab file with ktutil.
>>>>>>>>>>>
>>>>>>>>>>> See here for more info about "net ads enctypes"
>>>>>>>>>>> https://www.mail-archive.com/cifs-protocol@lists.samba.org/msg00062.html.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> It controls which encryption types are used for ticket
>>>>>>>>>>> generation
>>>>>>>>>>> on the server.
>>>>>>>>>>>
>>>>>>>>>>> achim~
>>>>>>>>>>
>>>>>>>>>> I've been trying to follow this thread but admit I'm still
>>>>>>>>>> missing
>>>>>>>>>> something. Given the example below, what needs to be done to
>>>>>>>>>> get the
>>>>>>>>>> aes keys in the keytab, exactly?
>>>>>>>>>>
>>>>>>>>>> # net ads enctypes list hostname$
>>>>>>>>>> 'hostname$' uses "msDS-SupportedEncryptionTypes": 31
>>>>>>>>>> (0x0000001f)
>>>>>>>>>> [X] 0x00000001 DES-CBC-CRC
>>>>>>>>>> [X] 0x00000002 DES-CBC-MD5
>>>>>>>>>> [X] 0x00000004 RC4-HMAC
>>>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>>>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>>>>>>>>>>
>>>>>>>>>> # samba-tool domain exportkeytab test --principal=hostname$
>>>>>>>>>>
>>>>>>>>>> # klist -ke test
>>>>>>>>>> Keytab name: FILE:test
>>>>>>>>>> KVNO Principal
>>>>>>>>>> ----
>>>>>>>>>> --------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 1 hostname$@EXAMPLE.COM (des-cbc-crc)
>>>>>>>>>> 1 hostname$@EXAMPLE.COM (des-cbc-md5)
>>>>>>>>>> 1 hostname$@EXAMPLE.COM (arcfour-hmac)
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> If I 'kinit Administrator' before running your commands as
>>>>>>>>> root on a
>>>>>>>>> DC, I get this:
>>>>>>>>>
>>>>>>>>> klist -ke devstation.keytab
>>>>>>>>> Keytab name: FILE:devstation.keytab
>>>>>>>>> KVNO Principal
>>>>>>>>> ----
>>>>>>>>> --------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (arcfour-hmac)
>>>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
>>>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
>>>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-md5)
>>>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-crc)
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>
>>>>>>>> Yeah, sorry, I should have specified that I did exactly that --
>>>>>>>> 'kinit
>>>>>>>> Administrator' as root, on a DC -- followed by the sequence of
>>>>>>>> commands I listed.
>>>>>>>>
>>>>>>>> Hm ... would domain/forest functional level matter? we've never
>>>>>>>> bothered to raise ours from the default.
>>>>>>>>
>>>>>>> That's it. On my 4.2.10 server the domain and forest level was 2003
>>>>>>> so i
>>>>>>> raised it to 2008 R2. Tested with an user account and at first it
>>>>>>> exported only des and rc4 keys. After setting the password for that
>>>>>>> user
>>>>>>> again (what rowland recommended in an other reply) it does now
>>>>>>> export
>>>>>>> aes keys for that user. For an computer account you may have to
>>>>>>> rejoin
>>>>>>> the computer to trigger the generation of an new password for that
>>>>>>> account immediate.
>>>>>>>
>>>>>>
>>>>>> Excellent, thanks. Indeed, it worked for me here, too, on a test
>>>>>> domain. One final (I think/hope) question: How might I deal with
>>>>>> password resets of the DC computer accounts themselves, to trigger
>>>>>> the creation of their AES keys?
>>>>>>
>>>>> The password is changed every 30 days by default if you did not
>>>>> disable it via gpo.
>>>>> https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/
>>>>>
>>>>>
>>>>> See here how to reset the computer account passwords manualy.
>>>>>
>>>> For the samba dc's you can use
>>>>
>>>> samba-tool user setpassword hostname$
>>>
>>> Heh, sheesh, embarrassing ... as easy as that.
>>>
>>> Thanks for your guidance! Rowland, thank you for chiming in as well!
>> Hmm, can be this does mess up replication.
>>
> Yes it does mess up replication! Do not use setpassword for the samba
> host !!!
> Glad I made an snapshot of my test vm before i tried it.
> It worked for an windows 7 client hosever the LDAP and cifs tickets
> where using aes256
Reading https://wiki.samba.org/index.php/Keytab_Extraction
----- snip ----------------
Offline Keytab Creation from Secrets.tdb
If the net command fails (after all, that could be the reason for us to
start sniffing...), you can still generate a keytab without domain admin
credentials, if you can get a hold on the server's secrets.tdb. This
method can also be done offline on a different machine.
tdbdump secrets.tdb
Now look for the key SECRETS/MACHINE_PASSWORD/<domain> - the password is
the value without the trailing zero. Use the *ktutil* utility to
construct the keytab:
------ snap -------------
We do not use ktutil but use the password mentioned here for the
"samba-tool user setpassword hostname$" command.
This does not break replication and the aes keys are exported.
More information about the samba
mailing list