[Samba] samba creating keytabs... ( possible bug, can someone confirm this )

Rowland Penny rpenny at samba.org
Sat Feb 4 12:30:29 UTC 2017 

On Wed, 1 Feb 2017 14:43:52 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> Hai, 
> 
>  
> 
> I noticed something strange in the keytab file on my member server. 
> 

I can confirm this, but it gets stranger ;-)

If I go into the computers object and remove any 'http' lines so that I
have this:

servicePrincipalName: HOST/DEVCLIENT
servicePrincipalName: HOST/devclient.samdom.example.com
servicePrincipalName: nfs/devclient
servicePrincipalName: nfs/devclient.samdom.example.com
servicePrincipalName: HTTP/devclient
servicePrincipalName: HTTP/devclient.samdom.example.com

If I then remove the keytab, then recreate it. I then find this in the
computers object

servicePrincipalName: HOST/DEVCLIENT
servicePrincipalName: HOST/devclient.samdom.example.com
servicePrincipalName: nfs/devclient
servicePrincipalName: nfs/devclient.samdom.example.com
servicePrincipalName: HTTP/devclient
servicePrincipalName: HTTP/devclient.samdom.example.com
servicePrincipalName: http/devclient
servicePrincipalName: http/devclient.samdom.example.com

The lowercase 'http' spn line are back!

And the relevant lines in the keytab are all lowercase:

   2 04/02/17 12:22:15 http/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (des-cbc-crc) 
   2 04/02/17 12:22:15 http/DEVCLIENT at SAMDOM.EXAMPLE.COM (des-cbc-crc) 
   2 04/02/17 12:22:15 http/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (des-cbc-md5) 
   2 04/02/17 12:22:15 http/DEVCLIENT at SAMDOM.EXAMPLE.COM (des-cbc-md5) 
   2 04/02/17 12:22:15 http/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) 
   2 04/02/17 12:22:15 http/DEVCLIENT at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) 
   2 04/02/17 12:22:15 http/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) 
   2 04/02/17 12:22:15 http/DEVCLIENT at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) 
   2 04/02/17 12:22:15 http/devclient.samdom.example.com at SAMDOM.EXAMPLE.COM (arcfour-hmac) 
   2 04/02/17 12:22:15 http/DEVCLIENT at SAMDOM.EXAMPLE.COM (arcfour-hmac) 

Rowland

More information about the samba mailing list