[Samba] Exporting keytab with samba-tool

Andrew Bartlett abartlet at samba.org
Sun Feb 27 20:45:58 UTC 2022

On Sun, 2022-02-27 at 10:08 +0300, Michael Tokarev via samba wrote:
> Hi!
> I'm aware for the wiki page about the subject, this one:
> https://wiki.samba.org/index.php/Generating_Keytabs
> I even added comments to this page, to the "Discussion"
> section.
> How to actually export keytab for a given principal?
> Be it samba-tool or something else?
> I weren't able to export any enctypes besides RC4-HMAC.
> Even if this enctype is explicitly *disabled* for the principal,
> by net ads enctypes set command.

I'm not sure that is possible so far.  My reading of the KDC code is
that the msDS-SupportedEncryptionTypes only adds new encryption types.

the samba-tool domain exportkeytab command reads the DB in the same way
as the KDC does when handling an AS-REQ or TGS-REQ to get a ticket as
the client or to a server when operated in --principal mode.

So if other commands generate more keys, it is likely those won't ever
be used.

> The generated keytab entry is about 40 bytes long (together
> with the principal name).
> While the real keytab generated by samba when joining domain
> is significantly larger, contains all enctypes and all
> principals.

The other principals are helpful for some tools, but if they all
contain the same key material then depending on the accepting
application it may make no difference (it can choose to match on key -
just trying a decrypt with all available regardless - or be specific to
a principal). 

I hope this helps, and I agree this area could do with some refinement,
patches are welcome.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list