Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba:> On Wed, 14 Sep 2016 16:23:27 -0500 > Michael A Weber via samba <samba at lists.samba.org> wrote: > >>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger <achim at ag-web.biz> >>> wrote: >>> >>> >>> >>> Am 14.09.2016 um 20:33 schrieb Michael A Weber: >>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger <achim at ag-web.biz >>>>> <mailto:achim at ag-web.biz>> wrote: >>>>> >>>>> >>>>> >>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber: >>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba >>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber: >>>>>>>> Question though, just for my curiosity: >>>>>>>> >>>>>>>> The encryption algorithms specified after each SPN: I see >>>>>>>> that aes-256 is listed when I export the user, but not the >>>>>>>> SPN. Are those expected, or have I done something wrong and >>>>>>>> used incorrect algorithms somewhere? I recall reading that >>>>>>>> DES is not secure enough and that AES-256 (I think I read this >>>>>>>> during TLS enablement) is what should be used. >>>>>>> I get the same behaviour here. If i do nout use the FQDN and >>>>>>> only the hostname without the domain part the aes keys are >>>>>>> included. In your case --principal HTTP/intranet. >>>>>> So, now I’m a little more confused. I’ve added the SPN to the >>>>>> user without the realm part, which succeeds. I listed it to >>>>>> verify, and it’s there (sanitized here): >>>>>> >>>>>> samba-tool spn list web-intranet-macmini >>>>>> web-intranet-macmini >>>>>> User >>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld >>>>>> has the following servicePrincipalName: >>>>>> HTTP/intranet.domain2.domain1.tld >>>>>> >>>>>> Then, if I go to export the keytab as you have indicated above >>>>>> with —principal=HTTP/intranet it errors: >>>>>> >>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab >>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught exception - >>>>>> Key table entry not found File >>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >>>>>> line 175, in _run return self.run(*args, **kwargs) File >>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", >>>>>> line 129, in run net.export_keytab(keytab=keytab, >>>>>> principal=principal) >>>>>> >>>>>> Should that command work? Or, was that for >>>>>> demonstration/explanation purposes only? I’m assuming it worked >>>>>> for you since you referenced my specific case. >>>>>> >>>>>> I feel I’m missing something. >>>>>> >>>>>>> The encryption methods used can be controlled with net ads >>>>>>> enctypes. >>>>>>> >>>>>>> If i run (after kinit Administrator) >>>>>>> net ads enctypes list dc1$ >>>>>>> i get >>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) >>>>>>> [X] 0x00000001 DES-CBC-CRC >>>>>>> [X] 0x00000002 DES-CBC-MD5 >>>>>>> [X] 0x00000004 RC4-HMAC >>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>> >>>>>> I get this as well. >>>>>> >>>>>>> If i use >>>>>>> net ads enctypes list dc1.domain.local$ >>>>>>> i get >>>>>>> no account found with filter: >>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$)) >>>>>>> >>>>>> Again, I get this as well. >>>>>> >>>>>>> Seems "samba-tool domain exportkeytab" uses an similar >>>>>>> algorythm and therefore does not find the account and uses des >>>>>>> and arcfour keys per default. >>>>>>> >>>>>>> -- >>>>>>> To unsubscribe from this list go to the following URL and read >>>>>>> the instructions: >>>>>>> https://lists.samba.org/mailman/options/samba >>>>>>> <https://lists.samba.org/mailman/options/samba> >>>>>> Mike >>>>> Try this >>>>> net ads enctypes set web-intranet-macmini 31 >>>>> >>>>> Afterwards "domain export" will export also aes keys for the >>>>> SPN's. >>>> And, this is why I addressed you as “experts” earlier. Indeed, it >>>> did! >>>> >>>> Now, I’m going to use ktutil to pull these into my existing keytab >>>> on the destination machine and begin my testing. >>>> >>>> Thank you tremendously (although I think we may have created hell >>>> for Rowland with the wiki documentation)! >>>> >>>> Mike >>> I was wondering about the missing aes keys for an while. So thanks >>> for bringing it up on the list. >>> >>> If an user gets created the attribute msDS-SupportedEncryptionTypes >>> remains undefined and in this case only des and rc4 keys are >>> exported. >>> >>> net ads enctypes set [hostname] [key value] can be used to define >>> the valid keys for an accound (and it's spn's). >>> >>> The key value is repesented as >>> 0x00000001 DES-CBC-CRC >>> 0x00000002 DES-CBC-MD5 >>> 0x00000004 RC4-HMAC >>> 0x00000008 AES128-CTS-HMAC-SHA1-96 >>> 0x00000010 AES256-CTS-HMAC-SHA1-96 >> (you mean, 0x00000016, for the last entry) >> >>> So using 31 enables all of them. samba-tool domain exportkeytab >>> does always export des and rc4 keys but honours 0x8 for aes128 and >>> 0x10 for aes256. I assume if enctypes are set to 24 for example >>> (only aes128/256) the server will honour this and decline des and >>> rc4 attempts. >>> >>> >>> >> That’s interesting, indeed. >> >> Rowland— >> >> This whole thing seems to me like we are duplicating the >> functionality of the ktpass command on a Windows AD. With that >> command, one would need to include an encoding type, and I’m just >> wondering if it should be included in the wiki pages as well rather >> than trying to add it back manually after the export. Also, >> something tells me that the ktpass command, when creating the SPN for >> a user, also sets the required encoding type. >> >> Thoughts? >> >> Mike > The problem is the command 'samba-tool spn add' does just that, it only > adds the 'servicePrincipalName', no enctypes are mentioned. > > Exporting the keytab is the same, there is no mention of enctypes > > So, until this changes, the wiki can only document what actually > happens. > > Rowland >Hello Rowland, As I wrote before you can use the command net ads enctypes set [username] 31 to convince domain export to export also the aes keys for the SPN's assigned to [username] like it is done for [username]. If only aes keys are wanted in the keytab file unwanted keys can be removed from the keytab file with ktutil. See here for more info about "net ads enctypes" https://www.mail-archive.com/cifs-protocol at lists.samba.org/msg00062.html. It controls which encryption types are used for ticket generation on the server. achim~
Achim Gottinger via samba wrote on 9/15/16 1:20 AM:> > > Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba: >> On Wed, 14 Sep 2016 16:23:27 -0500 >> Michael A Weber via samba <samba at lists.samba.org> wrote: >> >>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger <achim at ag-web.biz> >>>> wrote: >>>> >>>> >>>> >>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber: >>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger <achim at ag-web.biz >>>>>> <mailto:achim at ag-web.biz>> wrote: >>>>>> >>>>>> >>>>>> >>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber: >>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba >>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber: >>>>>>>>> Question though, just for my curiosity: >>>>>>>>> >>>>>>>>> The encryption algorithms specified after each SPN: I see >>>>>>>>> that aes-256 is listed when I export the user, but not the >>>>>>>>> SPN. Are those expected, or have I done something wrong and >>>>>>>>> used incorrect algorithms somewhere? I recall reading that >>>>>>>>> DES is not secure enough and that AES-256 (I think I read this >>>>>>>>> during TLS enablement) is what should be used. >>>>>>>> I get the same behaviour here. If i do nout use the FQDN and >>>>>>>> only the hostname without the domain part the aes keys are >>>>>>>> included. In your case --principal HTTP/intranet. >>>>>>> So, now I’m a little more confused. I’ve added the SPN to the >>>>>>> user without the realm part, which succeeds. I listed it to >>>>>>> verify, and it’s there (sanitized here): >>>>>>> >>>>>>> samba-tool spn list web-intranet-macmini >>>>>>> web-intranet-macmini >>>>>>> User >>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld >>>>>>> has the following servicePrincipalName: >>>>>>> HTTP/intranet.domain2.domain1.tld >>>>>>> >>>>>>> Then, if I go to export the keytab as you have indicated above >>>>>>> with —principal=HTTP/intranet it errors: >>>>>>> >>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab >>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught exception - >>>>>>> Key table entry not found File >>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >>>>>>> line 175, in _run return self.run(*args, **kwargs) File >>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", >>>>>>> line 129, in run net.export_keytab(keytab=keytab, >>>>>>> principal=principal) >>>>>>> >>>>>>> Should that command work? Or, was that for >>>>>>> demonstration/explanation purposes only? I’m assuming it worked >>>>>>> for you since you referenced my specific case. >>>>>>> >>>>>>> I feel I’m missing something. >>>>>>> >>>>>>>> The encryption methods used can be controlled with net ads >>>>>>>> enctypes. >>>>>>>> >>>>>>>> If i run (after kinit Administrator) >>>>>>>> net ads enctypes list dc1$ >>>>>>>> i get >>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) >>>>>>>> [X] 0x00000001 DES-CBC-CRC >>>>>>>> [X] 0x00000002 DES-CBC-MD5 >>>>>>>> [X] 0x00000004 RC4-HMAC >>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>> >>>>>>> I get this as well. >>>>>>> >>>>>>>> If i use >>>>>>>> net ads enctypes list dc1.domain.local$ >>>>>>>> i get >>>>>>>> no account found with filter: >>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$)) >>>>>>>> >>>>>>> Again, I get this as well. >>>>>>> >>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar >>>>>>>> algorythm and therefore does not find the account and uses des >>>>>>>> and arcfour keys per default. >>>>>>>> >>>>>>>> -- >>>>>>>> To unsubscribe from this list go to the following URL and read >>>>>>>> the instructions: >>>>>>>> https://lists.samba.org/mailman/options/samba >>>>>>>> <https://lists.samba.org/mailman/options/samba> >>>>>>> Mike >>>>>> Try this >>>>>> net ads enctypes set web-intranet-macmini 31 >>>>>> >>>>>> Afterwards "domain export" will export also aes keys for the >>>>>> SPN's. >>>>> And, this is why I addressed you as “experts” earlier. Indeed, it >>>>> did! >>>>> >>>>> Now, I’m going to use ktutil to pull these into my existing keytab >>>>> on the destination machine and begin my testing. >>>>> >>>>> Thank you tremendously (although I think we may have created hell >>>>> for Rowland with the wiki documentation)! >>>>> >>>>> Mike >>>> I was wondering about the missing aes keys for an while. So thanks >>>> for bringing it up on the list. >>>> >>>> If an user gets created the attribute msDS-SupportedEncryptionTypes >>>> remains undefined and in this case only des and rc4 keys are >>>> exported. >>>> >>>> net ads enctypes set [hostname] [key value] can be used to define >>>> the valid keys for an accound (and it's spn's). >>>> >>>> The key value is repesented as >>>> 0x00000001 DES-CBC-CRC >>>> 0x00000002 DES-CBC-MD5 >>>> 0x00000004 RC4-HMAC >>>> 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>> 0x00000010 AES256-CTS-HMAC-SHA1-96 >>> (you mean, 0x00000016, for the last entry) >>> >>>> So using 31 enables all of them. samba-tool domain exportkeytab >>>> does always export des and rc4 keys but honours 0x8 for aes128 and >>>> 0x10 for aes256. I assume if enctypes are set to 24 for example >>>> (only aes128/256) the server will honour this and decline des and >>>> rc4 attempts. >>>> >>>> >>>> >>> That’s interesting, indeed. >>> >>> Rowland— >>> >>> This whole thing seems to me like we are duplicating the >>> functionality of the ktpass command on a Windows AD. With that >>> command, one would need to include an encoding type, and I’m just >>> wondering if it should be included in the wiki pages as well rather >>> than trying to add it back manually after the export. Also, >>> something tells me that the ktpass command, when creating the SPN for >>> a user, also sets the required encoding type. >>> >>> Thoughts? >>> >>> Mike >> The problem is the command 'samba-tool spn add' does just that, it only >> adds the 'servicePrincipalName', no enctypes are mentioned. >> >> Exporting the keytab is the same, there is no mention of enctypes >> >> So, until this changes, the wiki can only document what actually >> happens. >> >> Rowland >> > Hello Rowland, > > As I wrote before you can use the command > > net ads enctypes set [username] 31 > > to convince domain export to export also the aes keys for the SPN's > assigned to [username] like it is done for [username]. > If only aes keys are wanted in the keytab file unwanted keys can be > removed from the keytab file with ktutil. > > See here for more info about "net ads enctypes" > https://www.mail-archive.com/cifs-protocol at lists.samba.org/msg00062.html. > It controls which encryption types are used for ticket generation on the > server. > > achim~I've been trying to follow this thread but admit I'm still missing something. Given the example below, what needs to be done to get the aes keys in the keytab, exactly? # net ads enctypes list hostname$ 'hostname$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) [X] 0x00000001 DES-CBC-CRC [X] 0x00000002 DES-CBC-MD5 [X] 0x00000004 RC4-HMAC [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 # samba-tool domain exportkeytab test --principal=hostname$ # klist -ke test Keytab name: FILE:test KVNO Principal ---- -------------------------------------------------------------------------- 1 hostname$@EXAMPLE.COM (des-cbc-crc) 1 hostname$@EXAMPLE.COM (des-cbc-md5) 1 hostname$@EXAMPLE.COM (arcfour-hmac)
On Fri, 16 Sep 2016 13:00:52 -0700 Robert Moulton via samba <samba at lists.samba.org> wrote:> Achim Gottinger via samba wrote on 9/15/16 1:20 AM: > > > > > > Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba: > >> On Wed, 14 Sep 2016 16:23:27 -0500 > >> Michael A Weber via samba <samba at lists.samba.org> wrote: > >> > >>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger <achim at ag-web.biz> > >>>> wrote: > >>>> > >>>> > >>>> > >>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber: > >>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger <achim at ag-web.biz > >>>>>> <mailto:achim at ag-web.biz>> wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber: > >>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba > >>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber: > >>>>>>>>> Question though, just for my curiosity: > >>>>>>>>> > >>>>>>>>> The encryption algorithms specified after each SPN: I see > >>>>>>>>> that aes-256 is listed when I export the user, but not the > >>>>>>>>> SPN. Are those expected, or have I done something wrong and > >>>>>>>>> used incorrect algorithms somewhere? I recall reading that > >>>>>>>>> DES is not secure enough and that AES-256 (I think I read > >>>>>>>>> this during TLS enablement) is what should be used. > >>>>>>>> I get the same behaviour here. If i do nout use the FQDN and > >>>>>>>> only the hostname without the domain part the aes keys are > >>>>>>>> included. In your case --principal HTTP/intranet. > >>>>>>> So, now I’m a little more confused. I’ve added the SPN to the > >>>>>>> user without the realm part, which succeeds. I listed it to > >>>>>>> verify, and it’s there (sanitized here): > >>>>>>> > >>>>>>> samba-tool spn list web-intranet-macmini > >>>>>>> web-intranet-macmini > >>>>>>> User > >>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld > >>>>>>> has the following servicePrincipalName: > >>>>>>> HTTP/intranet.domain2.domain1.tld > >>>>>>> > >>>>>>> Then, if I go to export the keytab as you have indicated above > >>>>>>> with —principal=HTTP/intranet it errors: > >>>>>>> > >>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab > >>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught exception - > >>>>>>> Key table entry not found File > >>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", > >>>>>>> line 175, in _run return self.run(*args, **kwargs) File > >>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", > >>>>>>> line 129, in run net.export_keytab(keytab=keytab, > >>>>>>> principal=principal) > >>>>>>> > >>>>>>> Should that command work? Or, was that for > >>>>>>> demonstration/explanation purposes only? I’m assuming it > >>>>>>> worked for you since you referenced my specific case. > >>>>>>> > >>>>>>> I feel I’m missing something. > >>>>>>> > >>>>>>>> The encryption methods used can be controlled with net ads > >>>>>>>> enctypes. > >>>>>>>> > >>>>>>>> If i run (after kinit Administrator) > >>>>>>>> net ads enctypes list dc1$ > >>>>>>>> i get > >>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) > >>>>>>>> [X] 0x00000001 DES-CBC-CRC > >>>>>>>> [X] 0x00000002 DES-CBC-MD5 > >>>>>>>> [X] 0x00000004 RC4-HMAC > >>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 > >>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 > >>>>>>>> > >>>>>>> I get this as well. > >>>>>>> > >>>>>>>> If i use > >>>>>>>> net ads enctypes list dc1.domain.local$ > >>>>>>>> i get > >>>>>>>> no account found with filter: > >>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$)) > >>>>>>>> > >>>>>>> Again, I get this as well. > >>>>>>> > >>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar > >>>>>>>> algorythm and therefore does not find the account and uses > >>>>>>>> des and arcfour keys per default. > >>>>>>>> > >>>>>>>> -- > >>>>>>>> To unsubscribe from this list go to the following URL and > >>>>>>>> read the instructions: > >>>>>>>> https://lists.samba.org/mailman/options/samba > >>>>>>>> <https://lists.samba.org/mailman/options/samba> > >>>>>>> Mike > >>>>>> Try this > >>>>>> net ads enctypes set web-intranet-macmini 31 > >>>>>> > >>>>>> Afterwards "domain export" will export also aes keys for the > >>>>>> SPN's. > >>>>> And, this is why I addressed you as “experts” earlier. Indeed, > >>>>> it did! > >>>>> > >>>>> Now, I’m going to use ktutil to pull these into my existing > >>>>> keytab on the destination machine and begin my testing. > >>>>> > >>>>> Thank you tremendously (although I think we may have created > >>>>> hell for Rowland with the wiki documentation)! > >>>>> > >>>>> Mike > >>>> I was wondering about the missing aes keys for an while. So > >>>> thanks for bringing it up on the list. > >>>> > >>>> If an user gets created the attribute > >>>> msDS-SupportedEncryptionTypes remains undefined and in this case > >>>> only des and rc4 keys are exported. > >>>> > >>>> net ads enctypes set [hostname] [key value] can be used to define > >>>> the valid keys for an accound (and it's spn's). > >>>> > >>>> The key value is repesented as > >>>> 0x00000001 DES-CBC-CRC > >>>> 0x00000002 DES-CBC-MD5 > >>>> 0x00000004 RC4-HMAC > >>>> 0x00000008 AES128-CTS-HMAC-SHA1-96 > >>>> 0x00000010 AES256-CTS-HMAC-SHA1-96 > >>> (you mean, 0x00000016, for the last entry) > >>> > >>>> So using 31 enables all of them. samba-tool domain exportkeytab > >>>> does always export des and rc4 keys but honours 0x8 for aes128 > >>>> and 0x10 for aes256. I assume if enctypes are set to 24 for > >>>> example (only aes128/256) the server will honour this and > >>>> decline des and rc4 attempts. > >>>> > >>>> > >>>> > >>> That’s interesting, indeed. > >>> > >>> Rowland— > >>> > >>> This whole thing seems to me like we are duplicating the > >>> functionality of the ktpass command on a Windows AD. With that > >>> command, one would need to include an encoding type, and I’m just > >>> wondering if it should be included in the wiki pages as well > >>> rather than trying to add it back manually after the export. > >>> Also, something tells me that the ktpass command, when creating > >>> the SPN for a user, also sets the required encoding type. > >>> > >>> Thoughts? > >>> > >>> Mike > >> The problem is the command 'samba-tool spn add' does just that, it > >> only adds the 'servicePrincipalName', no enctypes are mentioned. > >> > >> Exporting the keytab is the same, there is no mention of enctypes > >> > >> So, until this changes, the wiki can only document what actually > >> happens. > >> > >> Rowland > >> > > Hello Rowland, > > > > As I wrote before you can use the command > > > > net ads enctypes set [username] 31 > > > > to convince domain export to export also the aes keys for the SPN's > > assigned to [username] like it is done for [username]. > > If only aes keys are wanted in the keytab file unwanted keys can be > > removed from the keytab file with ktutil. > > > > See here for more info about "net ads enctypes" > > https://www.mail-archive.com/cifs-protocol at lists.samba.org/msg00062.html. > > It controls which encryption types are used for ticket generation > > on the server. > > > > achim~ > > I've been trying to follow this thread but admit I'm still missing > something. Given the example below, what needs to be done to get the > aes keys in the keytab, exactly? > > # net ads enctypes list hostname$ > 'hostname$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) > [X] 0x00000001 DES-CBC-CRC > [X] 0x00000002 DES-CBC-MD5 > [X] 0x00000004 RC4-HMAC > [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 > [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 > > # samba-tool domain exportkeytab test --principal=hostname$ > > # klist -ke test > Keytab name: FILE:test > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 hostname$@EXAMPLE.COM (des-cbc-crc) > 1 hostname$@EXAMPLE.COM (des-cbc-md5) > 1 hostname$@EXAMPLE.COM (arcfour-hmac) >If I 'kinit Administrator' before running your commands as root on a DC, I get this: klist -ke devstation.keytab Keytab name: FILE:devstation.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 devstation$@SAMDOM.EXAMPLE.COM (arcfour-hmac) 1 devstation$@SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) 1 devstation$@SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) 1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-md5) 1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-crc) Rowland
Am 16.09.2016 um 22:00 schrieb Robert Moulton via samba:> Achim Gottinger via samba wrote on 9/15/16 1:20 AM: >> >> >> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba: >>> On Wed, 14 Sep 2016 16:23:27 -0500 >>> Michael A Weber via samba <samba at lists.samba.org> wrote: >>> >>>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger <achim at ag-web.biz> >>>>> wrote: >>>>> >>>>> >>>>> >>>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber: >>>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger <achim at ag-web.biz >>>>>>> <mailto:achim at ag-web.biz>> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber: >>>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba >>>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber: >>>>>>>>>> Question though, just for my curiosity: >>>>>>>>>> >>>>>>>>>> The encryption algorithms specified after each SPN: I see >>>>>>>>>> that aes-256 is listed when I export the user, but not the >>>>>>>>>> SPN. Are those expected, or have I done something wrong and >>>>>>>>>> used incorrect algorithms somewhere? I recall reading that >>>>>>>>>> DES is not secure enough and that AES-256 (I think I read this >>>>>>>>>> during TLS enablement) is what should be used. >>>>>>>>> I get the same behaviour here. If i do nout use the FQDN and >>>>>>>>> only the hostname without the domain part the aes keys are >>>>>>>>> included. In your case --principal HTTP/intranet. >>>>>>>> So, now I’m a little more confused. I’ve added the SPN to the >>>>>>>> user without the realm part, which succeeds. I listed it to >>>>>>>> verify, and it’s there (sanitized here): >>>>>>>> >>>>>>>> samba-tool spn list web-intranet-macmini >>>>>>>> web-intranet-macmini >>>>>>>> User >>>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld >>>>>>>> has the following servicePrincipalName: >>>>>>>> HTTP/intranet.domain2.domain1.tld >>>>>>>> >>>>>>>> Then, if I go to export the keytab as you have indicated above >>>>>>>> with —principal=HTTP/intranet it errors: >>>>>>>> >>>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab >>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught exception - >>>>>>>> Key table entry not found File >>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >>>>>>>> line 175, in _run return self.run(*args, **kwargs) File >>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", >>>>>>>> line 129, in run net.export_keytab(keytab=keytab, >>>>>>>> principal=principal) >>>>>>>> >>>>>>>> Should that command work? Or, was that for >>>>>>>> demonstration/explanation purposes only? I’m assuming it worked >>>>>>>> for you since you referenced my specific case. >>>>>>>> >>>>>>>> I feel I’m missing something. >>>>>>>> >>>>>>>>> The encryption methods used can be controlled with net ads >>>>>>>>> enctypes. >>>>>>>>> >>>>>>>>> If i run (after kinit Administrator) >>>>>>>>> net ads enctypes list dc1$ >>>>>>>>> i get >>>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) >>>>>>>>> [X] 0x00000001 DES-CBC-CRC >>>>>>>>> [X] 0x00000002 DES-CBC-MD5 >>>>>>>>> [X] 0x00000004 RC4-HMAC >>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>>> >>>>>>>> I get this as well. >>>>>>>> >>>>>>>>> If i use >>>>>>>>> net ads enctypes list dc1.domain.local$ >>>>>>>>> i get >>>>>>>>> no account found with filter: >>>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$)) >>>>>>>>> >>>>>>>> Again, I get this as well. >>>>>>>> >>>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar >>>>>>>>> algorythm and therefore does not find the account and uses des >>>>>>>>> and arcfour keys per default. >>>>>>>>> >>>>>>>>> -- >>>>>>>>> To unsubscribe from this list go to the following URL and read >>>>>>>>> the instructions: >>>>>>>>> https://lists.samba.org/mailman/options/samba >>>>>>>>> <https://lists.samba.org/mailman/options/samba> >>>>>>>> Mike >>>>>>> Try this >>>>>>> net ads enctypes set web-intranet-macmini 31 >>>>>>> >>>>>>> Afterwards "domain export" will export also aes keys for the >>>>>>> SPN's. >>>>>> And, this is why I addressed you as “experts” earlier. Indeed, it >>>>>> did! >>>>>> >>>>>> Now, I’m going to use ktutil to pull these into my existing keytab >>>>>> on the destination machine and begin my testing. >>>>>> >>>>>> Thank you tremendously (although I think we may have created hell >>>>>> for Rowland with the wiki documentation)! >>>>>> >>>>>> Mike >>>>> I was wondering about the missing aes keys for an while. So thanks >>>>> for bringing it up on the list. >>>>> >>>>> If an user gets created the attribute msDS-SupportedEncryptionTypes >>>>> remains undefined and in this case only des and rc4 keys are >>>>> exported. >>>>> >>>>> net ads enctypes set [hostname] [key value] can be used to define >>>>> the valid keys for an accound (and it's spn's). >>>>> >>>>> The key value is repesented as >>>>> 0x00000001 DES-CBC-CRC >>>>> 0x00000002 DES-CBC-MD5 >>>>> 0x00000004 RC4-HMAC >>>>> 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>> 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>> (you mean, 0x00000016, for the last entry) >>>> >>>>> So using 31 enables all of them. samba-tool domain exportkeytab >>>>> does always export des and rc4 keys but honours 0x8 for aes128 and >>>>> 0x10 for aes256. I assume if enctypes are set to 24 for example >>>>> (only aes128/256) the server will honour this and decline des and >>>>> rc4 attempts. >>>>> >>>>> >>>>> >>>> That’s interesting, indeed. >>>> >>>> Rowland— >>>> >>>> This whole thing seems to me like we are duplicating the >>>> functionality of the ktpass command on a Windows AD. With that >>>> command, one would need to include an encoding type, and I’m just >>>> wondering if it should be included in the wiki pages as well rather >>>> than trying to add it back manually after the export. Also, >>>> something tells me that the ktpass command, when creating the SPN for >>>> a user, also sets the required encoding type. >>>> >>>> Thoughts? >>>> >>>> Mike >>> The problem is the command 'samba-tool spn add' does just that, it only >>> adds the 'servicePrincipalName', no enctypes are mentioned. >>> >>> Exporting the keytab is the same, there is no mention of enctypes >>> >>> So, until this changes, the wiki can only document what actually >>> happens. >>> >>> Rowland >>> >> Hello Rowland, >> >> As I wrote before you can use the command >> >> net ads enctypes set [username] 31 >> >> to convince domain export to export also the aes keys for the SPN's >> assigned to [username] like it is done for [username]. >> If only aes keys are wanted in the keytab file unwanted keys can be >> removed from the keytab file with ktutil. >> >> See here for more info about "net ads enctypes" >> https://www.mail-archive.com/cifs-protocol at lists.samba.org/msg00062.html. >> >> It controls which encryption types are used for ticket generation on the >> server. >> >> achim~ > > I've been trying to follow this thread but admit I'm still missing > something. Given the example below, what needs to be done to get the > aes keys in the keytab, exactly? > > # net ads enctypes list hostname$ > 'hostname$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) > [X] 0x00000001 DES-CBC-CRC > [X] 0x00000002 DES-CBC-MD5 > [X] 0x00000004 RC4-HMAC > [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 > [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 > > # samba-tool domain exportkeytab test --principal=hostname$ > > # klist -ke test > Keytab name: FILE:test > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 hostname$@EXAMPLE.COM (des-cbc-crc) > 1 hostname$@EXAMPLE.COM (des-cbc-md5) > 1 hostname$@EXAMPLE.COM (arcfour-hmac) >What version of samba are you using? For my tests i used 4.4.5. "net enctypes" was added wth version 4.2.10. Setting enctypes was only necessary here for aes keys with spn's as principals. upn's/usernames always export the aes keys here.