[Samba] missing enctypes in exported keytab
L.P.H. van Belle
belle at bazuin.nl
Mon Apr 29 10:55:05 UTC 2019
Hai,
Thats a strange one..
> This is correct: 'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
Try this first.
sudo samba-tool domain exportkeytab dns.keytab --principal=dns-dc2
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Christian via samba
> Verzonden: maandag 29 april 2019 12:30
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] missing enctypes in exported keytab
>
> Dear all,
>
> this is using debian stretch and Louis' 4.8.11 packages. I am
> trying to
> export a keytab, and even for a UPN, samba does not export
> the AES keys.
> What could be the mistake?
>
> root at dc2:~# net ads enctypes list dns-dc2
> 'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
> [X] 0x00000001 DES-CBC-CRC
> [X] 0x00000002 DES-CBC-MD5
> [X] 0x00000004 RC4-HMAC
> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
> root at dc2:~# rm dns.keytab
> rm: remove regular file 'dns.keytab'? y
> root at dc2:~# samba-tool domain exportkeytab --principal=dns-dc2 \\
> dns.keytab
> Export one principal to dns.keytab
> root at dc2:~# klist -ke dns.keytab
> Keytab name: FILE:dns.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------
> ------------
> 4 dns-dc2 at XXX (arcfour-hmac)
> 4 dns-dc2 at XXX (des-cbc-md5)
> 4 dns-dc2 at XXX (des-cbc-crc)
>
> For reference, on the first DC, for example the DNS keytab
> for BIND9_DLZ
> exported during provisioning, has all 5 enctypes on it...
>
> Thanks for any insights,
>
> Christian
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list