[Samba] spn kerberos encoding types
Kacper Wirski
kacper.wirski at gmail.com
Thu Feb 5 17:04:49 UTC 2026
So I had this issue with older samba versions and even after samba
upgrade. After I upraded to recent packages I needed to reset krbtgt
account password and it finally solved it.
I'm not sure if it's the same issue, but check Your samba version and
check when krbtgt account had it's last password change (or, at which
samba version).
Here's good working example of resetting krbtgt account password:
https://samba.tranquil.it/doc/en/samba_advanced_methods-samba_reset_krbtgt.html
Regards,
Kacper
W dniu 05.02.2026 o 17:54, Sami Hulkko via samba pisze:
> Hi,
>
> I have created a 'services' user according to the instructions of
> Samba Wiki to enable spn for a server. I defined in RSAT tool from
> Windows side use of enhanced kerberos security types that show in net
> ads enctypes:
>
> 'services' uses "msDS-SupportedEncryptionTypes": 28 (0x0000001c)
> [ ] 0x00000001 DES-CBC-CRC
> [ ] 0x00000002 DES-CBC-MD5
> [X] 0x00000004 RC4-HMAC
> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
> [ ] 0x00000020 AES256-CTS-HMAC-SHA1-96-SK
> [ ] 0x00080000 RESOURCE-SID-COMPRESSION-DISABLED
>
> Yet if I create a spn and export keytable with:
>
> samba-tool domain exportkeytab --principal <spn_type>/domain.com
> somefile.keytab
>
> the content is:
>
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 2
> nfs/server01.home.quantum-black-hole.com at HOME.QUANTUM-BLACK-HOLE.COM
> (DEPRECATED:arcfour-hmac)
>
> How would one define that spn gets enhanced encoding types in command:
>
> samba-tool spn add <spn_type>/domain.com <service_user>
>
> If the <service_user> has the high encryption types already on?
>
--
Ta wiadomość e-mail została sprawdzona pod kątem wirusów przez oprogramowanie antywirusowe Avast.
www.avast.com
More information about the samba
mailing list