[Samba] missing enctypes in exported keytab

Christian chanlists at googlemail.com
Mon Apr 29 10:30:01 UTC 2019

Dear all,

this is using debian stretch and Louis' 4.8.11 packages. I am trying to
export a keytab, and even for a UPN, samba does not export the AES keys.
What could be the mistake?

root at dc2:~# net ads enctypes list dns-dc2
'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
[X] 0x00000001 DES-CBC-CRC
[X] 0x00000002 DES-CBC-MD5
[X] 0x00000004 RC4-HMAC
[X] 0x00000008 AES128-CTS-HMAC-SHA1-96
[X] 0x00000010 AES256-CTS-HMAC-SHA1-96
root at dc2:~# rm dns.keytab
rm: remove regular file 'dns.keytab'? y
root at dc2:~# samba-tool domain exportkeytab --principal=dns-dc2 \\
Export one principal to dns.keytab
root at dc2:~# klist -ke dns.keytab
Keytab name: FILE:dns.keytab
KVNO Principal
   4 dns-dc2 at XXX (arcfour-hmac)
   4 dns-dc2 at XXX (des-cbc-md5)
   4 dns-dc2 at XXX (des-cbc-crc)

For reference, on the first DC, for example the DNS keytab for BIND9_DLZ
exported during provisioning, has all 5 enctypes on it...

Thanks for any insights,


More information about the samba mailing list