Dear all, this is using debian stretch and Louis' 4.8.11 packages. I am trying to export a keytab, and even for a UPN, samba does not export the AES keys. What could be the mistake? root at dc2:~# net ads enctypes list dns-dc2 'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) [X] 0x00000001 DES-CBC-CRC [X] 0x00000002 DES-CBC-MD5 [X] 0x00000004 RC4-HMAC [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 root at dc2:~# rm dns.keytab rm: remove regular file 'dns.keytab'? y root at dc2:~# samba-tool domain exportkeytab --principal=dns-dc2 \\ dns.keytab Export one principal to dns.keytab root at dc2:~# klist -ke dns.keytab Keytab name: FILE:dns.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 dns-dc2 at XXX (arcfour-hmac) 4 dns-dc2 at XXX (des-cbc-md5) 4 dns-dc2 at XXX (des-cbc-crc) For reference, on the first DC, for example the DNS keytab for BIND9_DLZ exported during provisioning, has all 5 enctypes on it... Thanks for any insights, Christian
Hai, Thats a strange one..> This is correct: 'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)Try this first. sudo samba-tool domain exportkeytab dns.keytab --principal=dns-dc2 Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Christian via samba > Verzonden: maandag 29 april 2019 12:30 > Aan: samba at lists.samba.org > Onderwerp: [Samba] missing enctypes in exported keytab > > Dear all, > > this is using debian stretch and Louis' 4.8.11 packages. I am > trying to > export a keytab, and even for a UPN, samba does not export > the AES keys. > What could be the mistake? > > root at dc2:~# net ads enctypes list dns-dc2 > 'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) > [X] 0x00000001 DES-CBC-CRC > [X] 0x00000002 DES-CBC-MD5 > [X] 0x00000004 RC4-HMAC > [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 > [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 > root at dc2:~# rm dns.keytab > rm: remove regular file 'dns.keytab'? y > root at dc2:~# samba-tool domain exportkeytab --principal=dns-dc2 \\ > dns.keytab > Export one principal to dns.keytab > root at dc2:~# klist -ke dns.keytab > Keytab name: FILE:dns.keytab > KVNO Principal > ---- > -------------------------------------------------------------- > ------------ > 4 dns-dc2 at XXX (arcfour-hmac) > 4 dns-dc2 at XXX (des-cbc-md5) > 4 dns-dc2 at XXX (des-cbc-crc) > > For reference, on the first DC, for example the DNS keytab > for BIND9_DLZ > exported during provisioning, has all 5 enctypes on it... > > Thanks for any insights, > > Christian > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Am 29.04.2019 um 12:55 schrieb L.P.H. van Belle via samba:> Hai, > > Thats a strange one.. > >> This is correct: 'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) > Try this first. > sudo samba-tool domain exportkeytab dns.keytab --principal=dns-dc2Same result. Cheers, Christian> > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Christian via samba >> Verzonden: maandag 29 april 2019 12:30 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] missing enctypes in exported keytab >> >> Dear all, >> >> this is using debian stretch and Louis' 4.8.11 packages. I am >> trying to >> export a keytab, and even for a UPN, samba does not export >> the AES keys. >> What could be the mistake? >> >> root at dc2:~# net ads enctypes list dns-dc2 >> 'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) >> [X] 0x00000001 DES-CBC-CRC >> [X] 0x00000002 DES-CBC-MD5 >> [X] 0x00000004 RC4-HMAC >> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 >> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 >> root at dc2:~# rm dns.keytab >> rm: remove regular file 'dns.keytab'? y >> root at dc2:~# samba-tool domain exportkeytab --principal=dns-dc2 \\ >> dns.keytab >> Export one principal to dns.keytab >> root at dc2:~# klist -ke dns.keytab >> Keytab name: FILE:dns.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------- >> ------------ >> 4 dns-dc2 at XXX (arcfour-hmac) >> 4 dns-dc2 at XXX (des-cbc-md5) >> 4 dns-dc2 at XXX (des-cbc-crc) >> >> For reference, on the first DC, for example the DNS keytab >> for BIND9_DLZ >> exported during provisioning, has all 5 enctypes on it... >> >> Thanks for any insights, >> >> Christian >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >