Experts—
I’m attempting to export a keytab for a created SPN on the AD DC machine but I’m
receiving an error:
ERROR(runtime): uncaught exception - Key table entry not found
File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 129, in run
net.export_keytab(keytab=keytab, principal=principal)
Steps taken to recreate:
1. Create a user for the SPN
samba-tool user create web-intranet-macmini
<provided password when prompted>
2. Add the SPN:
samba-tool spn add HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
web-intranet-macmini
<succeeded without error>
3. Export the keytab file to be used on the intranet host:
samba-tool domain exportkeytab ~/intranet-macmini.keytab
—principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
<Get the error listed above>
Now, I tried adding another SPN without the realm, and exporting without the
realm, and I did not receive an error.
I then deleted both SPNs via samba-tool spn delete, recreated the SPN using the
realm just to make sure I’m not completely crazy and didn’t fat finger anything
(and to make sure my contact lenses are making me see what I think I’m seeing)
and I still get the error.
When I do samba-tool spn list web-intranet-macmini, I see the SPN(s) associated
with that user, and they are correct.
Is there something glaringly obvious I’m missing?
Mike
On Tue, 13 Sep 2016 22:53:44 -0500 Michael A Weber via samba <samba at lists.samba.org> wrote:> Experts— > > I’m attempting to export a keytab for a created SPN on the AD DC > machine but I’m receiving an error: > > ERROR(runtime): uncaught exception - Key table entry not found > File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", > line 175, in _run return self.run(*args, **kwargs) > File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", > line 129, in run net.export_keytab(keytab=keytab, principal=principal) > > Steps taken to recreate: > > 1. Create a user for the SPN > > samba-tool user create web-intranet-macmini > <provided password when prompted> > > 2. Add the SPN: > > samba-tool spn add > HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD > web-intranet-macmini <succeeded without error> > > 3. Export the keytab file to be used on the intranet host: > > samba-tool domain exportkeytab ~/intranet-macmini.keytab > —principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD > > <Get the error listed above> > > Now, I tried adding another SPN without the realm, and exporting > without the realm, and I did not receive an error. > > I then deleted both SPNs via samba-tool spn delete, recreated the SPN > using the realm just to make sure I’m not completely crazy and didn’t > fat finger anything (and to make sure my contact lenses are making me > see what I think I’m seeing) and I still get the error. > > When I do samba-tool spn list web-intranet-macmini, I see the SPN(s) > associated with that user, and they are correct. > > Is there something glaringly obvious I’m missing? > > MikeYes, the principal isn't the SPN when you try to export the keytab, it is the user. Rowland
> On Sep 14, 2016, at 1:38 AM, Rowland Penny via samba <samba at lists.samba.org> wrote: > > On Tue, 13 Sep 2016 22:53:44 -0500 > Michael A Weber via samba <samba at lists.samba.org> wrote: > >> Experts— >> >> I’m attempting to export a keytab for a created SPN on the AD DC >> machine but I’m receiving an error: >> >> ERROR(runtime): uncaught exception - Key table entry not found >> File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >> line 175, in _run return self.run(*args, **kwargs) >> File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", >> line 129, in run net.export_keytab(keytab=keytab, principal=principal) >> >> Steps taken to recreate: >> >> 1. Create a user for the SPN >> >> samba-tool user create web-intranet-macmini >> <provided password when prompted> >> >> 2. Add the SPN: >> >> samba-tool spn add >> HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD >> web-intranet-macmini <succeeded without error> >> >> 3. Export the keytab file to be used on the intranet host: >> >> samba-tool domain exportkeytab ~/intranet-macmini.keytab >> —principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD >> >> <Get the error listed above> >> >> Now, I tried adding another SPN without the realm, and exporting >> without the realm, and I did not receive an error. >> >> I then deleted both SPNs via samba-tool spn delete, recreated the SPN >> using the realm just to make sure I’m not completely crazy and didn’t >> fat finger anything (and to make sure my contact lenses are making me >> see what I think I’m seeing) and I still get the error. >> >> When I do samba-tool spn list web-intranet-macmini, I see the SPN(s) >> associated with that user, and they are correct. >> >> Is there something glaringly obvious I’m missing? >> >> Mike > > Yes, the principal isn't the SPN when you try to export the keytab, it > is the user. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaRowland— That appears to have worked. Should the wiki page be modified/updated to reflect this? Also, I think some of the wording is confusing on the wiki page, specifically “this should then produce the keytab for the principAL ‘that you have exported’…” I’ve already exported a principAL? When? Or, am I currently exporting a principal with the samba-tool right then and there? https://wiki.samba.org/index.php/Generating_Keytabs <https://wiki.samba.org/index.php/Generating_Keytabs> Mike
Am 14.09.2016 um 05:53 schrieb Michael A Weber via samba:> Experts— > > I’m attempting to export a keytab for a created SPN on the AD DC machine but I’m receiving an error: > > ERROR(runtime): uncaught exception - Key table entry not found > File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 129, in run > net.export_keytab(keytab=keytab, principal=principal) > > Steps taken to recreate: > > 1. Create a user for the SPN > > samba-tool user create web-intranet-macmini > <provided password when prompted> > > 2. Add the SPN: > > samba-tool spn add HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD web-intranet-macmini > <succeeded without error> > > 3. Export the keytab file to be used on the intranet host: > > samba-tool domain exportkeytab ~/intranet-macmini.keytab —principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD > > <Get the error listed above> > > Now, I tried adding another SPN without the realm, and exporting without the realm, and I did not receive an error. > > I then deleted both SPNs via samba-tool spn delete, recreated the SPN using the realm just to make sure I’m not completely crazy and didn’t fat finger anything (and to make sure my contact lenses are making me see what I think I’m seeing) and I still get the error. > > When I do samba-tool spn list web-intranet-macmini, I see the SPN(s) associated with that user, and they are correct. > > Is there something glaringly obvious I’m missing? > > MikeLast time i created an SPN it was not neccessary to add the realm part when creating the realm. It should be added automatically adn you can verify it with klist -Kek [your keytabfile]
> On Sep 14, 2016, at 10:44 AM, Achim Gottinger via samba <samba at lists.samba.org> wrote: > > > > Am 14.09.2016 um 05:53 schrieb Michael A Weber via samba: >> Experts— >> >> I’m attempting to export a keytab for a created SPN on the AD DC machine but I’m receiving an error: >> >> ERROR(runtime): uncaught exception - Key table entry not found >> File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 129, in run >> net.export_keytab(keytab=keytab, principal=principal) >> >> Steps taken to recreate: >> >> 1. Create a user for the SPN >> >> samba-tool user create web-intranet-macmini >> <provided password when prompted> >> >> 2. Add the SPN: >> >> samba-tool spn add HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD web-intranet-macmini >> <succeeded without error> >> >> 3. Export the keytab file to be used on the intranet host: >> >> samba-tool domain exportkeytab ~/intranet-macmini.keytab —principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD >> >> <Get the error listed above> >> >> Now, I tried adding another SPN without the realm, and exporting without the realm, and I did not receive an error. >> >> I then deleted both SPNs via samba-tool spn delete, recreated the SPN using the realm just to make sure I’m not completely crazy and didn’t fat finger anything (and to make sure my contact lenses are making me see what I think I’m seeing) and I still get the error. >> >> When I do samba-tool spn list web-intranet-macmini, I see the SPN(s) associated with that user, and they are correct. >> >> Is there something glaringly obvious I’m missing? >> >> Mike > Last time i created an SPN it was not neccessary to add the realm part when creating the realm. It should be added automatically adn you can verify it with > klist -Kek [your keytabfile] > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaI did previously create an SPN without the realm, but the SPN attribute on the user also did not contain the realm. Then, I deleted the SPN and re-created it with the realm. Achim, I just tested your recommendation and verified with the klist command above, and they do look correct (sanitized below, of course): Keytab name: FILE:/root/intranet-macmini.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD (des-cbc-crc) 1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD (des-cbc-md5) 1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD (arcfour-hmac)> On Sep 14, 2016, at 1:38 AM, Rowland Penny via samba <samba at lists.samba.org> wrote: > > Yes, the principal isn't the SPN when you try to export the keytab, it > is the user. > > Rowland >Rowland, when I use your method of specifying the principal as the user and not the SPN, I get what I would think for Apache would be a completely incorrect keytab as verified by the klist -Kek command: Keytab name: FILE:/root/intranet-macmini.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD (des-cbc-crc) 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD (des-cbc-md5) 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD (aes128-cts-hmac-sha1-96) 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD (aes256-cts-hmac-sha1-96) 1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD (arcfour-hmac) Experts-- So, which method is the correct way to export a keytab for an SPN for, say, Apache? Question though, just for my curiosity: The encryption algorithms specified after each SPN: I see that aes-256 is listed when I export the user, but not the SPN. Are those expected, or have I done something wrong and used incorrect algorithms somewhere? I recall reading that DES is not secure enough and that AES-256 (I think I read this during TLS enablement) is what should be used. Mike