[Samba] missing enctypes in exported keytab

Rowland Penny rpenny at samba.org
Mon Apr 29 17:56:40 UTC 2019 

On Mon, 29 Apr 2019 19:31:55 +0200
Christian via samba <samba at lists.samba.org> wrote:

   
> >> root at dc1:~# samba-tool domain level show
> >> Domain and forest function level for domain 'DC=.....'
> >>
> >> Forest function level: (Windows) 2003
> >> Domain function level: (Windows) 2003
> >> Lowest function level of a DC: (Windows) 2008 R2
> >>
> > That explains it ;-)
> >
> > Try raising the functional level to 2008R2
> >
> > samba-tool domain level raise --forest-level=2008_R2
> > --domain-level=2008_R2
> >
> > Rowland
> >  
> Still the same:
> 
> root at dc1:~# rm -f dns.keytab
> root at dc1:~# samba-tool domain level show
> Domain and forest function level for domain 'DC=.......'
> 
> Forest function level: (Windows) 2008 R2
> Domain function level: (Windows) 2008 R2
> Lowest function level of a DC: (Windows) 2008 R2
> root at dc1:~# samba-tool domain exportkeytab dns.keytab
> --principal=dns-dc1 Export one principal to dns.keytab
> root at dc1:~# klist -ke dns.keytab
> Keytab name: FILE:dns.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    1 dns-dc1 at XXX (arcfour-hmac)
>    1 dns-dc1 at XXX (des-cbc-md5)
>    1 dns-dc1 at XXX (des-cbc-crc)
> 
> 
> I should mention that the AD is the result of a classicupgrade...
> Thanks,

That shouldn't make any difference, the 2003 level only used the three
enctypes you have now, this is on one of my DC's:

 root at dc4:~# samba-tool domain level show
Domain and forest function level for domain 'DC=samdom,DC=example,DC=com'

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2
root at dc4:~# klist -ke /root/dns.keytab 
Keytab name: FILE:/root/dns.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 dns-dc4 at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) 
   1 dns-dc4 at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) 
   1 dns-dc4 at SAMDOM.EXAMPLE.COM (arcfour-hmac) 
   1 dns-dc4 at SAMDOM.EXAMPLE.COM (des-cbc-md5) 
   1 dns-dc4 at SAMDOM.EXAMPLE.COM (des-cbc-crc) 

Have you restarted the Samba DC ?

Rowland

More information about the samba mailing list