Hi! I'm aware for the wiki page about the subject, this one: https://wiki.samba.org/index.php/Generating_Keytabs I even added comments to this page, to the "Discussion" section. How to actually export keytab for a given principal? Be it samba-tool or something else? I weren't able to export any enctypes besides RC4-HMAC. Even if this enctype is explicitly *disabled* for the principal, by net ads enctypes set command. The generated keytab entry is about 40 bytes long (together with the principal name). While the real keytab generated by samba when joining domain is significantly larger, contains all enctypes and all principals. Thanks, /mjt
On Sun, 2022-02-27 at 10:08 +0300, Michael Tokarev via samba wrote:> Hi! > > I'm aware for the wiki page about the subject, this one: > https://wiki.samba.org/index.php/Generating_Keytabs > > I even added comments to this page, to the "Discussion" > section. > > How to actually export keytab for a given principal? > Be it samba-tool or something else?You can export a keytab using the information shown on the wikipage you linked to.> > I weren't able to export any enctypes besides RC4-HMAC. > Even if this enctype is explicitly *disabled* for the principal, > by net ads enctypes set command.Now that is strange, when I try it, I get this: pi at rpidc1:~ $ sudo samba-tool domain exportkeytab --principal=dhcpduser /tmp/dhcpduser1.keytab Export one principal to /tmp/dhcpduser1.keytab pi at rpidc1:~ $ sudo klist -ke /tmp/dhcpduser1.keytab Keytab name: FILE:/tmp/dhcpduser1.keytab KVNO Principal ---- ------------------------------------------------------------------ -------- 1 dhcpduser at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) 1 dhcpduser at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) 1 dhcpduser at SAMDOM.EXAMPLE.COM (arcfour-hmac) I think we need a bit more info, what OS, Samba version and where are you creating the keytab. Rowland
On Sun, 2022-02-27 at 10:08 +0300, Michael Tokarev via samba wrote:> Hi! > > I'm aware for the wiki page about the subject, this one: > https://wiki.samba.org/index.php/Generating_Keytabs > > I even added comments to this page, to the "Discussion" > section. > > How to actually export keytab for a given principal? > Be it samba-tool or something else? > > I weren't able to export any enctypes besides RC4-HMAC. > Even if this enctype is explicitly *disabled* for the principal, > by net ads enctypes set command.I'm not sure that is possible so far. My reading of the KDC code is that the msDS-SupportedEncryptionTypes only adds new encryption types. the samba-tool domain exportkeytab command reads the DB in the same way as the KDC does when handling an AS-REQ or TGS-REQ to get a ticket as the client or to a server when operated in --principal mode. So if other commands generate more keys, it is likely those won't ever be used.> The generated keytab entry is about 40 bytes long (together > with the principal name). > > While the real keytab generated by samba when joining domain > is significantly larger, contains all enctypes and all > principals.The other principals are helpful for some tools, but if they all contain the same key material then depending on the accepting application it may make no difference (it can choose to match on key - just trying a decrypt with all available regardless - or be specific to a principal). I hope this helps, and I agree this area could do with some refinement, patches are welcome. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions