[Samba] spn kerberos encoding types
Sami Hulkko
sahulkko at gmail.com
Thu Feb 5 16:54:45 UTC 2026
Hi,
I have created a 'services' user according to the instructions of Samba
Wiki to enable spn for a server. I defined in RSAT tool from Windows
side use of enhanced kerberos security types that show in net ads enctypes:
'services' uses "msDS-SupportedEncryptionTypes": 28 (0x0000001c)
[ ] 0x00000001 DES-CBC-CRC
[ ] 0x00000002 DES-CBC-MD5
[X] 0x00000004 RC4-HMAC
[X] 0x00000008 AES128-CTS-HMAC-SHA1-96
[X] 0x00000010 AES256-CTS-HMAC-SHA1-96
[ ] 0x00000020 AES256-CTS-HMAC-SHA1-96-SK
[ ] 0x00080000 RESOURCE-SID-COMPRESSION-DISABLED
Yet if I create a spn and export keytable with:
samba-tool domain exportkeytab --principal <spn_type>/domain.com
somefile.keytab
the content is:
KVNO Principal
----
--------------------------------------------------------------------------
2
nfs/server01.home.quantum-black-hole.com at HOME.QUANTUM-BLACK-HOLE.COM
(DEPRECATED:arcfour-hmac)
How would one define that spn gets enhanced encoding types in command:
samba-tool spn add <spn_type>/domain.com <service_user>
If the <service_user> has the high encryption types already on?
--
Sami Hulkko
+358 45 8569 319
sahulkko at gmail.com
sahulkko at icloud.com
More information about the samba
mailing list