> On Sep 14, 2016, at 10:44 AM, Achim Gottinger via samba <samba at lists.samba.org> wrote: > > > > Am 14.09.2016 um 05:53 schrieb Michael A Weber via samba: >> Experts— >> >> I’m attempting to export a keytab for a created SPN on the AD DC machine but I’m receiving an error: >> >> ERROR(runtime): uncaught exception - Key table entry not found >> File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 129, in run >> net.export_keytab(keytab=keytab, principal=principal) >> >> Steps taken to recreate: >> >> 1. Create a user for the SPN >> >> samba-tool user create web-intranet-macmini >> <provided password when prompted> >> >> 2. Add the SPN: >> >> samba-tool spn add HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD web-intranet-macmini >> <succeeded without error> >> >> 3. Export the keytab file to be used on the intranet host: >> >> samba-tool domain exportkeytab ~/intranet-macmini.keytab —principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD >> >> <Get the error listed above> >> >> Now, I tried adding another SPN without the realm, and exporting without the realm, and I did not receive an error. >> >> I then deleted both SPNs via samba-tool spn delete, recreated the SPN using the realm just to make sure I’m not completely crazy and didn’t fat finger anything (and to make sure my contact lenses are making me see what I think I’m seeing) and I still get the error. >> >> When I do samba-tool spn list web-intranet-macmini, I see the SPN(s) associated with that user, and they are correct. >> >> Is there something glaringly obvious I’m missing? >> >> Mike > Last time i created an SPN it was not neccessary to add the realm part when creating the realm. It should be added automatically adn you can verify it with > klist -Kek [your keytabfile] > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaI did previously create an SPN without the realm, but the SPN attribute on the user also did not contain the realm. Then, I deleted the SPN and re-created it with the realm. Achim, I just tested your recommendation and verified with the klist command above, and they do look correct (sanitized below, of course): Keytab name: FILE:/root/intranet-macmini.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD (des-cbc-crc) 1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD (des-cbc-md5) 1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD (arcfour-hmac)> On Sep 14, 2016, at 1:38 AM, Rowland Penny via samba <samba at lists.samba.org> wrote: > > Yes, the principal isn't the SPN when you try to export the keytab, it > is the user. > > Rowland >Rowland, when I use your method of specifying the principal as the user and not the SPN, I get what I would think for Apache would be a completely incorrect keytab as verified by the klist -Kek command: Keytab name: FILE:/root/intranet-macmini.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD (des-cbc-crc) 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD (des-cbc-md5) 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD (aes128-cts-hmac-sha1-96) 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD (aes256-cts-hmac-sha1-96) 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD (arcfour-hmac) Experts-- So, which method is the correct way to export a keytab for an SPN for, say, Apache? Question though, just for my curiosity: The encryption algorithms specified after each SPN: I see that aes-256 is listed when I export the user, but not the SPN. Are those expected, or have I done something wrong and used incorrect algorithms somewhere? I recall reading that DES is not secure enough and that AES-256 (I think I read this during TLS enablement) is what should be used. Mike
Am 14.09.2016 um 18:23 schrieb Michael A Weber:> Question though, just for my curiosity: > > The encryption algorithms specified after each SPN: I see that > aes-256 is listed when I export the user, but not the SPN. Are those > expected, or have I done something wrong and used incorrect algorithms > somewhere? I recall reading that DES is not secure enough and that > AES-256 (I think I read this during TLS enablement) is what should be > used.I get the same behaviour here. If i do nout use the FQDN and only the hostname without the domain part the aes keys are included. In your case --principal HTTP/intranet. The encryption methods used can be controlled with net ads enctypes. If i run (after kinit Administrator) net ads enctypes list dc1$ i get 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) [X] 0x00000001 DES-CBC-CRC [X] 0x00000002 DES-CBC-MD5 [X] 0x00000004 RC4-HMAC [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 If i use net ads enctypes list dc1.domain.local$ i get no account found with filter: (&(objectclass=user)(sAMAccountName=dc1.domain.local$)) Seems "samba-tool domain exportkeytab" uses an similar algorythm and therefore does not find the account and uses des and arcfour keys per default.
Am 14.09.2016 um 19:23 schrieb Achim Gottinger via samba:> > > Am 14.09.2016 um 18:23 schrieb Michael A Weber: >> Question though, just for my curiosity: >> >> The encryption algorithms specified after each SPN: I see that >> aes-256 is listed when I export the user, but not the SPN. Are those >> expected, or have I done something wrong and used incorrect >> algorithms somewhere? I recall reading that DES is not secure enough >> and that AES-256 (I think I read this during TLS enablement) is what >> should be used. > I get the same behaviour here. If i do nout use the FQDN and only the > hostname without the domain part the aes keys are included. In your > case --principal HTTP/intranet. > > The encryption methods used can be controlled with net ads enctypes. > > If i run (after kinit Administrator) > net ads enctypes list dc1$ > i get > 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) > [X] 0x00000001 DES-CBC-CRC > [X] 0x00000002 DES-CBC-MD5 > [X] 0x00000004 RC4-HMAC > [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 > [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 > > If i use > net ads enctypes list dc1.domain.local$ > i get > no account found with filter: > (&(objectclass=user)(sAMAccountName=dc1.domain.local$)) > > Seems "samba-tool domain exportkeytab" uses an similar algorythm and > therefore does not find the account and uses des and arcfour keys per > default. >After modifying the enctypes domain exportkeytab still exports all the enctypes so it does not seem to inspect the msDS-SupportedEncryptionTypes attribute, neighter of the user account (UPN) nor of the hosts account (hostname part of the SPN). I'm using an 4.4.5 backport on debian jessie btw.
> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba <samba at lists.samba.org> wrote: > > > > Am 14.09.2016 um 18:23 schrieb Michael A Weber: >> Question though, just for my curiosity: >> >> The encryption algorithms specified after each SPN: I see that aes-256 is listed when I export the user, but not the SPN. Are those expected, or have I done something wrong and used incorrect algorithms somewhere? I recall reading that DES is not secure enough and that AES-256 (I think I read this during TLS enablement) is what should be used. > I get the same behaviour here. If i do nout use the FQDN and only the hostname without the domain part the aes keys are included. In your case --principal HTTP/intranet.So, now I’m a little more confused. I’ve added the SPN to the user without the realm part, which succeeds. I listed it to verify, and it’s there (sanitized here): samba-tool spn list web-intranet-macmini web-intranet-macmini User CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld has the following servicePrincipalName: HTTP/intranet.domain2.domain1.tld Then, if I go to export the keytab as you have indicated above with —principal=HTTP/intranet it errors: samba-tool domain exportkeytab ~/intranet-macmini.keytab --principal=HTTP/intranet ERROR(runtime): uncaught exception - Key table entry not found File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 129, in run net.export_keytab(keytab=keytab, principal=principal) Should that command work? Or, was that for demonstration/explanation purposes only? I’m assuming it worked for you since you referenced my specific case. I feel I’m missing something.> > The encryption methods used can be controlled with net ads enctypes. > > If i run (after kinit Administrator) > net ads enctypes list dc1$ > i get > 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) > [X] 0x00000001 DES-CBC-CRC > [X] 0x00000002 DES-CBC-MD5 > [X] 0x00000004 RC4-HMAC > [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 > [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 >I get this as well.> If i use > net ads enctypes list dc1.domain.local$ > i get > no account found with filter: (&(objectclass=user)(sAMAccountName=dc1.domain.local$)) >Again, I get this as well.> Seems "samba-tool domain exportkeytab" uses an similar algorythm and therefore does not find the account and uses des and arcfour keys per default. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaMike
Am 14.09.2016 um 18:23 schrieb Michael A Weber:> >> On Sep 14, 2016, at 10:44 AM, Achim Gottinger via samba >> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >> >> >> >> Am 14.09.2016 um 05:53 schrieb Michael A Weber via samba: >>> Experts— >>> >>> I’m attempting to export a keytab for a created SPN on the AD DC >>> machine but I’m receiving an error: >>> >>> ERROR(runtime): uncaught exception - Key table entry not found >>> File >>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line >>> 175, in _run >>> return self.run(*args, **kwargs) >>> File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", >>> line 129, in run >>> net.export_keytab(keytab=keytab, principal=principal) >>> >>> Steps taken to recreate: >>> >>> 1. Create a user for the SPN >>> >>> samba-tool user create web-intranet-macmini >>> <provided password when prompted> >>> >>> 2. Add the SPN: >>> >>> samba-tool spn add >>> HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD >>> <mailto:HTTP/hostname.domain2.domain1.tld at domain2.domain1.tld> >>> web-intranet-macmini >>> <succeeded without error> >>> >>> 3. Export the keytab file to be used on the intranet host: >>> >>> samba-tool domain exportkeytab ~/intranet-macmini.keytab >>> —principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD >>> <mailto:principal=HTTP/hostname.domain2.domain1.tld at domain2.domain1.tld> >>> >>> <Get the error listed above> >>> >>> Now, I tried adding another SPN without the realm, and exporting >>> without the realm, and I did not receive an error. >>> >>> I then deleted both SPNs via samba-tool spn delete, recreated the >>> SPN using the realm just to make sure I’m not completely crazy and >>> didn’t fat finger anything (and to make sure my contact lenses are >>> making me see what I think I’m seeing) and I still get the error. >>> >>> When I do samba-tool spn list web-intranet-macmini, I see the SPN(s) >>> associated with that user, and they are correct. >>> >>> Is there something glaringly obvious I’m missing? >>> >>> Mike >> Last time i created an SPN it was not neccessary to add the realm >> part when creating the realm. It should be added automatically adn >> you can verify it with >> klist -Kek [your keytabfile] >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > I did previously create an SPN without the realm, but the SPN > attribute on the user also did not contain the realm. Then, I deleted > the SPN and re-created it with the realm. > > Achim, I just tested your recommendation and verified with the klist > command above, and they do look correct (sanitized below, of course): > > Keytab name: FILE:/root/intranet-macmini.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD > <mailto:HTTP/intranet.domain2.domain1.tld at domain2.domain1.tld> (des-cbc-crc) > 1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD > <mailto:domain2.domain1.tld at domain2.domain1.tld> (des-cbc-md5) > 1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD > <mailto:domain2.domain1.tld at domain2.domain1.tld> (arcfour-hmac) > > > >> On Sep 14, 2016, at 1:38 AM, Rowland Penny via samba >> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >> >> Yes, the principal isn't the SPN when you try to export the keytab, it >> is the user. >> >> Rowland >> > > > Rowland, when I use your method of specifying the principal as the > user and not the SPN, I get what I would think for Apache would be a > completely incorrect keytab as verified by the klist -Kek command: > > Keytab name: FILE:/root/intranet-macmini.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD > <mailto:web-intranet-macmini at domain2.domain1.tld> (des-cbc-crc) > 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD > <mailto:web-intranet-macmini at domain2.domain1.tld> (des-cbc-md5) > 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD > <mailto:web-intranet-macmini at domain2.domain1.tld> (aes128-cts-hmac-sha1-96) > 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD > <mailto:web-intranet-macmini at domain2.domain1.tld> (aes256-cts-hmac-sha1-96) > 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD > <mailto:web-intranet-macmini at domain2.domain1.tld> (arcfour-hmac) > > > Experts-- > > So, which method is the correct way to export a keytab for an SPN for, > say, Apache? > > Question though, just for my curiosity: > > The encryption algorithms specified after each SPN: I see that > aes-256 is listed when I export the user, but not the SPN. Are those > expected, or have I done something wrong and used incorrect algorithms > somewhere? I recall reading that DES is not secure enough and that > AES-256 (I think I read this during TLS enablement) is what should be > used. > > MikeYou can use ktutil to add the aes keys manual. You can not use an random password for the user account with this. #ktutil ktutil: rkt [keytabfile] ktutil: addent -password -p HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD <mailto:domain2.domain1.tld at domain2.domain1.tld> -k 1 -e aes256-cts-hmac-sha1-96 ktutil: [enter the password used for web-intranet-macmini] ktutil: wkt [keytabfile] ktutil: q I have not tested this but it should work used an similar approach with samba 4.0 for imap and smtp principals.
> On Sep 14, 2016, at 12:57 PM, Achim Gottinger <achim at ag-web.biz> wrote: > > > > Am 14.09.2016 um 18:23 schrieb Michael A Weber: >> >>> On Sep 14, 2016, at 10:44 AM, Achim Gottinger via samba <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >>> >>> >>> >>> Am 14.09.2016 um 05:53 schrieb Michael A Weber via samba: >>>> Experts— >>>> >>>> I’m attempting to export a keytab for a created SPN on the AD DC machine but I’m receiving an error: >>>> >>>> ERROR(runtime): uncaught exception - Key table entry not found >>>> File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run >>>> return self.run(*args, **kwargs) >>>> File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 129, in run >>>> net.export_keytab(keytab=keytab, principal=principal) >>>> >>>> Steps taken to recreate: >>>> >>>> 1. Create a user for the SPN >>>> >>>> samba-tool user create web-intranet-macmini >>>> <provided password when prompted> >>>> >>>> 2. Add the SPN: >>>> >>>> samba-tool spn add HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD <mailto:HTTP/hostname.domain2.domain1.tld at domain2.domain1.tld> web-intranet-macmini >>>> <succeeded without error> >>>> >>>> 3. Export the keytab file to be used on the intranet host: >>>> >>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab —principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD <mailto:principal=HTTP/hostname.domain2.domain1.tld at domain2.domain1.tld> >>>> >>>> <Get the error listed above> >>>> >>>> Now, I tried adding another SPN without the realm, and exporting without the realm, and I did not receive an error. >>>> >>>> I then deleted both SPNs via samba-tool spn delete, recreated the SPN using the realm just to make sure I’m not completely crazy and didn’t fat finger anything (and to make sure my contact lenses are making me see what I think I’m seeing) and I still get the error. >>>> >>>> When I do samba-tool spn list web-intranet-macmini, I see the SPN(s) associated with that user, and they are correct. >>>> >>>> Is there something glaringly obvious I’m missing? >>>> >>>> Mike >>> Last time i created an SPN it was not neccessary to add the realm part when creating the realm. It should be added automatically adn you can verify it with >>> klist -Kek [your keytabfile] >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> >> >> I did previously create an SPN without the realm, but the SPN attribute on the user also did not contain the realm. Then, I deleted the SPN and re-created it with the realm. >> >> Achim, I just tested your recommendation and verified with the klist command above, and they do look correct (sanitized below, of course): >> >> Keytab name: FILE:/root/intranet-macmini.keytab <file:///root/intranet-macmini.keytab> >> KVNO Principal >> ---- -------------------------------------------------------------------------- >> 1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD <mailto:HTTP/intranet.domain2.domain1.tld at domain2.domain1.tld> (des-cbc-crc) >> 1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD <mailto:domain2.domain1.tld at domain2.domain1.tld> (des-cbc-md5) >> 1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD <mailto:domain2.domain1.tld at domain2.domain1.tld> (arcfour-hmac) >> >> >> >>> On Sep 14, 2016, at 1:38 AM, Rowland Penny via samba <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >>> >>> Yes, the principal isn't the SPN when you try to export the keytab, it >>> is the user. >>> >>> Rowland >>> >> >> >> >> Rowland, when I use your method of specifying the principal as the user and not the SPN, I get what I would think for Apache would be a completely incorrect keytab as verified by the klist -Kek command: >> >> Keytab name: FILE:/root/intranet-macmini.keytab <file:///root/intranet-macmini.keytab> >> KVNO Principal >> ---- -------------------------------------------------------------------------- >> 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD <mailto:web-intranet-macmini at domain2.domain1.tld> (des-cbc-crc) >> 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD <mailto:web-intranet-macmini at domain2.domain1.tld> (des-cbc-md5) >> 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD <mailto:web-intranet-macmini at domain2.domain1.tld> (aes128-cts-hmac-sha1-96) >> 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD <mailto:web-intranet-macmini at domain2.domain1.tld> (aes256-cts-hmac-sha1-96) >> 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD <mailto:web-intranet-macmini at domain2.domain1.tld> (arcfour-hmac) >> >> >> Experts-- >> >> So, which method is the correct way to export a keytab for an SPN for, say, Apache? >> >> Question though, just for my curiosity: >> >> The encryption algorithms specified after each SPN: I see that aes-256 is listed when I export the user, but not the SPN. Are those expected, or have I done something wrong and used incorrect algorithms somewhere? I recall reading that DES is not secure enough and that AES-256 (I think I read this during TLS enablement) is what should be used. >> >> Mike > You can use ktutil to add the aes keys manual. You can not use an random password for the user account with this. > > #ktutil > ktutil: rkt [keytabfile] > ktutil: addent -password -p HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD <mailto:domain2.domain1.tld at domain2.domain1.tld> -k 1 -e aes256-cts-hmac-sha1-96 > ktutil: [enter the password used for web-intranet-macmini] > ktutil: wkt [keytabfile] > ktutil: q > > I have not tested this but it should work used an similar approach with samba 4.0 for imap and smtp principals.I just did this, and I confirm, it did work. Fortunately for me, I don’t use random password for the user account, but rather a password generator and an encrypted storage for them so I can retrieve them. However, for Rowland’s wiki needs, what would be the correct way/command to export this so that the SPN listed is the one intended (i.e. HTTP/fqhn at realm) since using —principal=user exports a keytab with a user at realm, not the intended SPN? I’m guessing we do it as you have suggested by leaving off the realm, and then for the added algorithms, we add them via ktutil. Does that sound right? Mike