Achim Gottinger via samba wrote on 9/16/16 4:14 PM:> > > Am 17.09.2016 um 00:54 schrieb Achim Gottinger via samba: >> >> >> Am 17.09.2016 um 00:29 schrieb Robert Moulton via samba: >>> Achim Gottinger via samba wrote on 9/16/16 3:05 PM: >>>> >>>> >>>> Am 16.09.2016 um 23:00 schrieb Robert Moulton via samba: >>>>> Rowland Penny via samba wrote on 9/16/16 1:43 PM: >>>>>> On Fri, 16 Sep 2016 13:00:52 -0700 >>>>>> Robert Moulton via samba <samba at lists.samba.org> wrote: >>>>>> >>>>>>> Achim Gottinger via samba wrote on 9/15/16 1:20 AM: >>>>>>>> >>>>>>>> >>>>>>>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba: >>>>>>>>> On Wed, 14 Sep 2016 16:23:27 -0500 >>>>>>>>> Michael A Weber via samba <samba at lists.samba.org> wrote: >>>>>>>>> >>>>>>>>>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger <achim at ag-web.biz> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber: >>>>>>>>>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger <achim at ag-web.biz >>>>>>>>>>>>> <mailto:achim at ag-web.biz>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber: >>>>>>>>>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba >>>>>>>>>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> >>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber: >>>>>>>>>>>>>>>> Question though, just for my curiosity: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The encryption algorithms specified after each SPN: I see >>>>>>>>>>>>>>>> that aes-256 is listed when I export the user, but not the >>>>>>>>>>>>>>>> SPN. Are those expected, or have I done something wrong >>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>> used incorrect algorithms somewhere? I recall reading that >>>>>>>>>>>>>>>> DES is not secure enough and that AES-256 (I think I read >>>>>>>>>>>>>>>> this during TLS enablement) is what should be used. >>>>>>>>>>>>>>> I get the same behaviour here. If i do nout use the FQDN and >>>>>>>>>>>>>>> only the hostname without the domain part the aes keys are >>>>>>>>>>>>>>> included. In your case --principal HTTP/intranet. >>>>>>>>>>>>>> So, now I’m a little more confused. I’ve added the SPN to >>>>>>>>>>>>>> the >>>>>>>>>>>>>> user without the realm part, which succeeds. I listed it to >>>>>>>>>>>>>> verify, and it’s there (sanitized here): >>>>>>>>>>>>>> >>>>>>>>>>>>>> samba-tool spn list web-intranet-macmini >>>>>>>>>>>>>> web-intranet-macmini >>>>>>>>>>>>>> User >>>>>>>>>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld >>>>>>>>>>>>>> has the following servicePrincipalName: >>>>>>>>>>>>>> HTTP/intranet.domain2.domain1.tld >>>>>>>>>>>>>> >>>>>>>>>>>>>> Then, if I go to export the keytab as you have indicated >>>>>>>>>>>>>> above >>>>>>>>>>>>>> with —principal=HTTP/intranet it errors: >>>>>>>>>>>>>> >>>>>>>>>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab >>>>>>>>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught >>>>>>>>>>>>>> exception - >>>>>>>>>>>>>> Key table entry not found File >>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >>>>>>>>>>>>>> >>>>>>>>>>>>>> line 175, in _run return self.run(*args, **kwargs) File >>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", >>>>>>>>>>>>>> line 129, in run net.export_keytab(keytab=keytab, >>>>>>>>>>>>>> principal=principal) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Should that command work? Or, was that for >>>>>>>>>>>>>> demonstration/explanation purposes only? I’m assuming it >>>>>>>>>>>>>> worked for you since you referenced my specific case. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I feel I’m missing something. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> The encryption methods used can be controlled with net ads >>>>>>>>>>>>>>> enctypes. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> If i run (after kinit Administrator) >>>>>>>>>>>>>>> net ads enctypes list dc1$ >>>>>>>>>>>>>>> i get >>>>>>>>>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) >>>>>>>>>>>>>>> [X] 0x00000001 DES-CBC-CRC >>>>>>>>>>>>>>> [X] 0x00000002 DES-CBC-MD5 >>>>>>>>>>>>>>> [X] 0x00000004 RC4-HMAC >>>>>>>>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>>>>>>>>> >>>>>>>>>>>>>> I get this as well. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> If i use >>>>>>>>>>>>>>> net ads enctypes list dc1.domain.local$ >>>>>>>>>>>>>>> i get >>>>>>>>>>>>>>> no account found with filter: >>>>>>>>>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$)) >>>>>>>>>>>>>>> >>>>>>>>>>>>>> Again, I get this as well. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar >>>>>>>>>>>>>>> algorythm and therefore does not find the account and uses >>>>>>>>>>>>>>> des and arcfour keys per default. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> To unsubscribe from this list go to the following URL and >>>>>>>>>>>>>>> read the instructions: >>>>>>>>>>>>>>> https://lists.samba.org/mailman/options/samba >>>>>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba> >>>>>>>>>>>>>> Mike >>>>>>>>>>>>> Try this >>>>>>>>>>>>> net ads enctypes set web-intranet-macmini 31 >>>>>>>>>>>>> >>>>>>>>>>>>> Afterwards "domain export" will export also aes keys for the >>>>>>>>>>>>> SPN's. >>>>>>>>>>>> And, this is why I addressed you as “experts” earlier. Indeed, >>>>>>>>>>>> it did! >>>>>>>>>>>> >>>>>>>>>>>> Now, I’m going to use ktutil to pull these into my existing >>>>>>>>>>>> keytab on the destination machine and begin my testing. >>>>>>>>>>>> >>>>>>>>>>>> Thank you tremendously (although I think we may have created >>>>>>>>>>>> hell for Rowland with the wiki documentation)! >>>>>>>>>>>> >>>>>>>>>>>> Mike >>>>>>>>>>> I was wondering about the missing aes keys for an while. So >>>>>>>>>>> thanks for bringing it up on the list. >>>>>>>>>>> >>>>>>>>>>> If an user gets created the attribute >>>>>>>>>>> msDS-SupportedEncryptionTypes remains undefined and in this case >>>>>>>>>>> only des and rc4 keys are exported. >>>>>>>>>>> >>>>>>>>>>> net ads enctypes set [hostname] [key value] can be used to >>>>>>>>>>> define >>>>>>>>>>> the valid keys for an accound (and it's spn's). >>>>>>>>>>> >>>>>>>>>>> The key value is repesented as >>>>>>>>>>> 0x00000001 DES-CBC-CRC >>>>>>>>>>> 0x00000002 DES-CBC-MD5 >>>>>>>>>>> 0x00000004 RC4-HMAC >>>>>>>>>>> 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>>>>> 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>>>> (you mean, 0x00000016, for the last entry) >>>>>>>>>> >>>>>>>>>>> So using 31 enables all of them. samba-tool domain exportkeytab >>>>>>>>>>> does always export des and rc4 keys but honours 0x8 for aes128 >>>>>>>>>>> and 0x10 for aes256. I assume if enctypes are set to 24 for >>>>>>>>>>> example (only aes128/256) the server will honour this and >>>>>>>>>>> decline des and rc4 attempts. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> That’s interesting, indeed. >>>>>>>>>> >>>>>>>>>> Rowland— >>>>>>>>>> >>>>>>>>>> This whole thing seems to me like we are duplicating the >>>>>>>>>> functionality of the ktpass command on a Windows AD. With that >>>>>>>>>> command, one would need to include an encoding type, and I’m just >>>>>>>>>> wondering if it should be included in the wiki pages as well >>>>>>>>>> rather than trying to add it back manually after the export. >>>>>>>>>> Also, something tells me that the ktpass command, when creating >>>>>>>>>> the SPN for a user, also sets the required encoding type. >>>>>>>>>> >>>>>>>>>> Thoughts? >>>>>>>>>> >>>>>>>>>> Mike >>>>>>>>> The problem is the command 'samba-tool spn add' does just that, it >>>>>>>>> only adds the 'servicePrincipalName', no enctypes are mentioned. >>>>>>>>> >>>>>>>>> Exporting the keytab is the same, there is no mention of enctypes >>>>>>>>> >>>>>>>>> So, until this changes, the wiki can only document what actually >>>>>>>>> happens. >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>> Hello Rowland, >>>>>>>> >>>>>>>> As I wrote before you can use the command >>>>>>>> >>>>>>>> net ads enctypes set [username] 31 >>>>>>>> >>>>>>>> to convince domain export to export also the aes keys for the SPN's >>>>>>>> assigned to [username] like it is done for [username]. >>>>>>>> If only aes keys are wanted in the keytab file unwanted keys can be >>>>>>>> removed from the keytab file with ktutil. >>>>>>>> >>>>>>>> See here for more info about "net ads enctypes" >>>>>>>> https://www.mail-archive.com/cifs-protocol at lists.samba.org/msg00062.html. >>>>>>>> >>>>>>>> >>>>>>>> It controls which encryption types are used for ticket generation >>>>>>>> on the server. >>>>>>>> >>>>>>>> achim~ >>>>>>> >>>>>>> I've been trying to follow this thread but admit I'm still missing >>>>>>> something. Given the example below, what needs to be done to get the >>>>>>> aes keys in the keytab, exactly? >>>>>>> >>>>>>> # net ads enctypes list hostname$ >>>>>>> 'hostname$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) >>>>>>> [X] 0x00000001 DES-CBC-CRC >>>>>>> [X] 0x00000002 DES-CBC-MD5 >>>>>>> [X] 0x00000004 RC4-HMAC >>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>> >>>>>>> # samba-tool domain exportkeytab test --principal=hostname$ >>>>>>> >>>>>>> # klist -ke test >>>>>>> Keytab name: FILE:test >>>>>>> KVNO Principal >>>>>>> ---- >>>>>>> -------------------------------------------------------------------------- >>>>>>> >>>>>>> >>>>>>> 1 hostname$@EXAMPLE.COM (des-cbc-crc) >>>>>>> 1 hostname$@EXAMPLE.COM (des-cbc-md5) >>>>>>> 1 hostname$@EXAMPLE.COM (arcfour-hmac) >>>>>>> >>>>>> >>>>>> If I 'kinit Administrator' before running your commands as root on a >>>>>> DC, I get this: >>>>>> >>>>>> klist -ke devstation.keytab >>>>>> Keytab name: FILE:devstation.keytab >>>>>> KVNO Principal >>>>>> ---- >>>>>> -------------------------------------------------------------------------- >>>>>> >>>>>> >>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (arcfour-hmac) >>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) >>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) >>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-md5) >>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-crc) >>>>>> >>>>>> Rowland >>>>> >>>>> Yeah, sorry, I should have specified that I did exactly that -- 'kinit >>>>> Administrator' as root, on a DC -- followed by the sequence of >>>>> commands I listed. >>>>> >>>>> Hm ... would domain/forest functional level matter? we've never >>>>> bothered to raise ours from the default. >>>>> >>>> That's it. On my 4.2.10 server the domain and forest level was 2003 >>>> so i >>>> raised it to 2008 R2. Tested with an user account and at first it >>>> exported only des and rc4 keys. After setting the password for that >>>> user >>>> again (what rowland recommended in an other reply) it does now export >>>> aes keys for that user. For an computer account you may have to rejoin >>>> the computer to trigger the generation of an new password for that >>>> account immediate. >>>> >>> >>> Excellent, thanks. Indeed, it worked for me here, too, on a test >>> domain. One final (I think/hope) question: How might I deal with >>> password resets of the DC computer accounts themselves, to trigger >>> the creation of their AES keys? >>> >> The password is changed every 30 days by default if you did not >> disable it via gpo. >> https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/ >> >> See here how to reset the computer account passwords manualy. >> > For the samba dc's you can use > > samba-tool user setpassword hostname$Heh, sheesh, embarrassing ... as easy as that. Thanks for your guidance! Rowland, thank you for chiming in as well!
Am 17.09.2016 um 01:23 schrieb Robert Moulton:> Achim Gottinger via samba wrote on 9/16/16 4:14 PM: >> >> >> Am 17.09.2016 um 00:54 schrieb Achim Gottinger via samba: >>> >>> >>> Am 17.09.2016 um 00:29 schrieb Robert Moulton via samba: >>>> Achim Gottinger via samba wrote on 9/16/16 3:05 PM: >>>>> >>>>> >>>>> Am 16.09.2016 um 23:00 schrieb Robert Moulton via samba: >>>>>> Rowland Penny via samba wrote on 9/16/16 1:43 PM: >>>>>>> On Fri, 16 Sep 2016 13:00:52 -0700 >>>>>>> Robert Moulton via samba <samba at lists.samba.org> wrote: >>>>>>> >>>>>>>> Achim Gottinger via samba wrote on 9/15/16 1:20 AM: >>>>>>>>> >>>>>>>>> >>>>>>>>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba: >>>>>>>>>> On Wed, 14 Sep 2016 16:23:27 -0500 >>>>>>>>>> Michael A Weber via samba <samba at lists.samba.org> wrote: >>>>>>>>>> >>>>>>>>>>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger >>>>>>>>>>>> <achim at ag-web.biz> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber: >>>>>>>>>>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger >>>>>>>>>>>>>> <achim at ag-web.biz >>>>>>>>>>>>>> <mailto:achim at ag-web.biz>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber: >>>>>>>>>>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba >>>>>>>>>>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> >>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber: >>>>>>>>>>>>>>>>> Question though, just for my curiosity: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The encryption algorithms specified after each SPN: I >>>>>>>>>>>>>>>>> see >>>>>>>>>>>>>>>>> that aes-256 is listed when I export the user, but not >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> SPN. Are those expected, or have I done something wrong >>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>> used incorrect algorithms somewhere? I recall reading >>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>> DES is not secure enough and that AES-256 (I think I read >>>>>>>>>>>>>>>>> this during TLS enablement) is what should be used. >>>>>>>>>>>>>>>> I get the same behaviour here. If i do nout use the >>>>>>>>>>>>>>>> FQDN and >>>>>>>>>>>>>>>> only the hostname without the domain part the aes keys are >>>>>>>>>>>>>>>> included. In your case --principal HTTP/intranet. >>>>>>>>>>>>>>> So, now I’m a little more confused. I’ve added the SPN to >>>>>>>>>>>>>>> the >>>>>>>>>>>>>>> user without the realm part, which succeeds. I listed >>>>>>>>>>>>>>> it to >>>>>>>>>>>>>>> verify, and it’s there (sanitized here): >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> samba-tool spn list web-intranet-macmini >>>>>>>>>>>>>>> web-intranet-macmini >>>>>>>>>>>>>>> User >>>>>>>>>>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> has the following servicePrincipalName: >>>>>>>>>>>>>>> HTTP/intranet.domain2.domain1.tld >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Then, if I go to export the keytab as you have indicated >>>>>>>>>>>>>>> above >>>>>>>>>>>>>>> with —principal=HTTP/intranet it errors: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab >>>>>>>>>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught >>>>>>>>>>>>>>> exception - >>>>>>>>>>>>>>> Key table entry not found File >>>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> line 175, in _run return self.run(*args, **kwargs) File >>>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> line 129, in run net.export_keytab(keytab=keytab, >>>>>>>>>>>>>>> principal=principal) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Should that command work? Or, was that for >>>>>>>>>>>>>>> demonstration/explanation purposes only? I’m assuming it >>>>>>>>>>>>>>> worked for you since you referenced my specific case. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I feel I’m missing something. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The encryption methods used can be controlled with net ads >>>>>>>>>>>>>>>> enctypes. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> If i run (after kinit Administrator) >>>>>>>>>>>>>>>> net ads enctypes list dc1$ >>>>>>>>>>>>>>>> i get >>>>>>>>>>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 >>>>>>>>>>>>>>>> (0x0000001f) >>>>>>>>>>>>>>>> [X] 0x00000001 DES-CBC-CRC >>>>>>>>>>>>>>>> [X] 0x00000002 DES-CBC-MD5 >>>>>>>>>>>>>>>> [X] 0x00000004 RC4-HMAC >>>>>>>>>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>>>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I get this as well. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> If i use >>>>>>>>>>>>>>>> net ads enctypes list dc1.domain.local$ >>>>>>>>>>>>>>>> i get >>>>>>>>>>>>>>>> no account found with filter: >>>>>>>>>>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$)) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Again, I get this as well. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar >>>>>>>>>>>>>>>> algorythm and therefore does not find the account and uses >>>>>>>>>>>>>>>> des and arcfour keys per default. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> To unsubscribe from this list go to the following URL and >>>>>>>>>>>>>>>> read the instructions: >>>>>>>>>>>>>>>> https://lists.samba.org/mailman/options/samba >>>>>>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba> >>>>>>>>>>>>>>> Mike >>>>>>>>>>>>>> Try this >>>>>>>>>>>>>> net ads enctypes set web-intranet-macmini 31 >>>>>>>>>>>>>> >>>>>>>>>>>>>> Afterwards "domain export" will export also aes keys for the >>>>>>>>>>>>>> SPN's. >>>>>>>>>>>>> And, this is why I addressed you as “experts” earlier. >>>>>>>>>>>>> Indeed, >>>>>>>>>>>>> it did! >>>>>>>>>>>>> >>>>>>>>>>>>> Now, I’m going to use ktutil to pull these into my existing >>>>>>>>>>>>> keytab on the destination machine and begin my testing. >>>>>>>>>>>>> >>>>>>>>>>>>> Thank you tremendously (although I think we may have created >>>>>>>>>>>>> hell for Rowland with the wiki documentation)! >>>>>>>>>>>>> >>>>>>>>>>>>> Mike >>>>>>>>>>>> I was wondering about the missing aes keys for an while. So >>>>>>>>>>>> thanks for bringing it up on the list. >>>>>>>>>>>> >>>>>>>>>>>> If an user gets created the attribute >>>>>>>>>>>> msDS-SupportedEncryptionTypes remains undefined and in this >>>>>>>>>>>> case >>>>>>>>>>>> only des and rc4 keys are exported. >>>>>>>>>>>> >>>>>>>>>>>> net ads enctypes set [hostname] [key value] can be used to >>>>>>>>>>>> define >>>>>>>>>>>> the valid keys for an accound (and it's spn's). >>>>>>>>>>>> >>>>>>>>>>>> The key value is repesented as >>>>>>>>>>>> 0x00000001 DES-CBC-CRC >>>>>>>>>>>> 0x00000002 DES-CBC-MD5 >>>>>>>>>>>> 0x00000004 RC4-HMAC >>>>>>>>>>>> 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>>>>>> 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>>>>> (you mean, 0x00000016, for the last entry) >>>>>>>>>>> >>>>>>>>>>>> So using 31 enables all of them. samba-tool domain >>>>>>>>>>>> exportkeytab >>>>>>>>>>>> does always export des and rc4 keys but honours 0x8 for aes128 >>>>>>>>>>>> and 0x10 for aes256. I assume if enctypes are set to 24 for >>>>>>>>>>>> example (only aes128/256) the server will honour this and >>>>>>>>>>>> decline des and rc4 attempts. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> That’s interesting, indeed. >>>>>>>>>>> >>>>>>>>>>> Rowland— >>>>>>>>>>> >>>>>>>>>>> This whole thing seems to me like we are duplicating the >>>>>>>>>>> functionality of the ktpass command on a Windows AD. With that >>>>>>>>>>> command, one would need to include an encoding type, and I’m >>>>>>>>>>> just >>>>>>>>>>> wondering if it should be included in the wiki pages as well >>>>>>>>>>> rather than trying to add it back manually after the export. >>>>>>>>>>> Also, something tells me that the ktpass command, when creating >>>>>>>>>>> the SPN for a user, also sets the required encoding type. >>>>>>>>>>> >>>>>>>>>>> Thoughts? >>>>>>>>>>> >>>>>>>>>>> Mike >>>>>>>>>> The problem is the command 'samba-tool spn add' does just >>>>>>>>>> that, it >>>>>>>>>> only adds the 'servicePrincipalName', no enctypes are mentioned. >>>>>>>>>> >>>>>>>>>> Exporting the keytab is the same, there is no mention of >>>>>>>>>> enctypes >>>>>>>>>> >>>>>>>>>> So, until this changes, the wiki can only document what actually >>>>>>>>>> happens. >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>> Hello Rowland, >>>>>>>>> >>>>>>>>> As I wrote before you can use the command >>>>>>>>> >>>>>>>>> net ads enctypes set [username] 31 >>>>>>>>> >>>>>>>>> to convince domain export to export also the aes keys for the >>>>>>>>> SPN's >>>>>>>>> assigned to [username] like it is done for [username]. >>>>>>>>> If only aes keys are wanted in the keytab file unwanted keys >>>>>>>>> can be >>>>>>>>> removed from the keytab file with ktutil. >>>>>>>>> >>>>>>>>> See here for more info about "net ads enctypes" >>>>>>>>> https://www.mail-archive.com/cifs-protocol at lists.samba.org/msg00062.html. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> It controls which encryption types are used for ticket generation >>>>>>>>> on the server. >>>>>>>>> >>>>>>>>> achim~ >>>>>>>> >>>>>>>> I've been trying to follow this thread but admit I'm still missing >>>>>>>> something. Given the example below, what needs to be done to >>>>>>>> get the >>>>>>>> aes keys in the keytab, exactly? >>>>>>>> >>>>>>>> # net ads enctypes list hostname$ >>>>>>>> 'hostname$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) >>>>>>>> [X] 0x00000001 DES-CBC-CRC >>>>>>>> [X] 0x00000002 DES-CBC-MD5 >>>>>>>> [X] 0x00000004 RC4-HMAC >>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>> >>>>>>>> # samba-tool domain exportkeytab test --principal=hostname$ >>>>>>>> >>>>>>>> # klist -ke test >>>>>>>> Keytab name: FILE:test >>>>>>>> KVNO Principal >>>>>>>> ---- >>>>>>>> -------------------------------------------------------------------------- >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 1 hostname$@EXAMPLE.COM (des-cbc-crc) >>>>>>>> 1 hostname$@EXAMPLE.COM (des-cbc-md5) >>>>>>>> 1 hostname$@EXAMPLE.COM (arcfour-hmac) >>>>>>>> >>>>>>> >>>>>>> If I 'kinit Administrator' before running your commands as root >>>>>>> on a >>>>>>> DC, I get this: >>>>>>> >>>>>>> klist -ke devstation.keytab >>>>>>> Keytab name: FILE:devstation.keytab >>>>>>> KVNO Principal >>>>>>> ---- >>>>>>> -------------------------------------------------------------------------- >>>>>>> >>>>>>> >>>>>>> >>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (arcfour-hmac) >>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) >>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) >>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-md5) >>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-crc) >>>>>>> >>>>>>> Rowland >>>>>> >>>>>> Yeah, sorry, I should have specified that I did exactly that -- >>>>>> 'kinit >>>>>> Administrator' as root, on a DC -- followed by the sequence of >>>>>> commands I listed. >>>>>> >>>>>> Hm ... would domain/forest functional level matter? we've never >>>>>> bothered to raise ours from the default. >>>>>> >>>>> That's it. On my 4.2.10 server the domain and forest level was 2003 >>>>> so i >>>>> raised it to 2008 R2. Tested with an user account and at first it >>>>> exported only des and rc4 keys. After setting the password for that >>>>> user >>>>> again (what rowland recommended in an other reply) it does now export >>>>> aes keys for that user. For an computer account you may have to >>>>> rejoin >>>>> the computer to trigger the generation of an new password for that >>>>> account immediate. >>>>> >>>> >>>> Excellent, thanks. Indeed, it worked for me here, too, on a test >>>> domain. One final (I think/hope) question: How might I deal with >>>> password resets of the DC computer accounts themselves, to trigger >>>> the creation of their AES keys? >>>> >>> The password is changed every 30 days by default if you did not >>> disable it via gpo. >>> https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/ >>> >>> >>> See here how to reset the computer account passwords manualy. >>> >> For the samba dc's you can use >> >> samba-tool user setpassword hostname$ > > Heh, sheesh, embarrassing ... as easy as that. > > Thanks for your guidance! Rowland, thank you for chiming in as well!Hmm, can be this does mess up replication.
Am 17.09.2016 um 02:19 schrieb Achim Gottinger via samba:> > > Am 17.09.2016 um 01:23 schrieb Robert Moulton: >> Achim Gottinger via samba wrote on 9/16/16 4:14 PM: >>> >>> >>> Am 17.09.2016 um 00:54 schrieb Achim Gottinger via samba: >>>> >>>> >>>> Am 17.09.2016 um 00:29 schrieb Robert Moulton via samba: >>>>> Achim Gottinger via samba wrote on 9/16/16 3:05 PM: >>>>>> >>>>>> >>>>>> Am 16.09.2016 um 23:00 schrieb Robert Moulton via samba: >>>>>>> Rowland Penny via samba wrote on 9/16/16 1:43 PM: >>>>>>>> On Fri, 16 Sep 2016 13:00:52 -0700 >>>>>>>> Robert Moulton via samba <samba at lists.samba.org> wrote: >>>>>>>> >>>>>>>>> Achim Gottinger via samba wrote on 9/15/16 1:20 AM: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba: >>>>>>>>>>> On Wed, 14 Sep 2016 16:23:27 -0500 >>>>>>>>>>> Michael A Weber via samba <samba at lists.samba.org> wrote: >>>>>>>>>>> >>>>>>>>>>>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger >>>>>>>>>>>>> <achim at ag-web.biz> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber: >>>>>>>>>>>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger >>>>>>>>>>>>>>> <achim at ag-web.biz >>>>>>>>>>>>>>> <mailto:achim at ag-web.biz>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber: >>>>>>>>>>>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba >>>>>>>>>>>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> >>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber: >>>>>>>>>>>>>>>>>> Question though, just for my curiosity: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> The encryption algorithms specified after each SPN: >>>>>>>>>>>>>>>>>> I see >>>>>>>>>>>>>>>>>> that aes-256 is listed when I export the user, but >>>>>>>>>>>>>>>>>> not the >>>>>>>>>>>>>>>>>> SPN. Are those expected, or have I done something wrong >>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>> used incorrect algorithms somewhere? I recall reading >>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>> DES is not secure enough and that AES-256 (I think I >>>>>>>>>>>>>>>>>> read >>>>>>>>>>>>>>>>>> this during TLS enablement) is what should be used. >>>>>>>>>>>>>>>>> I get the same behaviour here. If i do nout use the >>>>>>>>>>>>>>>>> FQDN and >>>>>>>>>>>>>>>>> only the hostname without the domain part the aes keys >>>>>>>>>>>>>>>>> are >>>>>>>>>>>>>>>>> included. In your case --principal HTTP/intranet. >>>>>>>>>>>>>>>> So, now I’m a little more confused. I’ve added the SPN to >>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> user without the realm part, which succeeds. I listed >>>>>>>>>>>>>>>> it to >>>>>>>>>>>>>>>> verify, and it’s there (sanitized here): >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> samba-tool spn list web-intranet-macmini >>>>>>>>>>>>>>>> web-intranet-macmini >>>>>>>>>>>>>>>> User >>>>>>>>>>>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> has the following servicePrincipalName: >>>>>>>>>>>>>>>> HTTP/intranet.domain2.domain1.tld >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Then, if I go to export the keytab as you have indicated >>>>>>>>>>>>>>>> above >>>>>>>>>>>>>>>> with —principal=HTTP/intranet it errors: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab >>>>>>>>>>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught >>>>>>>>>>>>>>>> exception - >>>>>>>>>>>>>>>> Key table entry not found File >>>>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> line 175, in _run return self.run(*args, **kwargs) File >>>>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> line 129, in run net.export_keytab(keytab=keytab, >>>>>>>>>>>>>>>> principal=principal) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Should that command work? Or, was that for >>>>>>>>>>>>>>>> demonstration/explanation purposes only? I’m assuming it >>>>>>>>>>>>>>>> worked for you since you referenced my specific case. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I feel I’m missing something. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The encryption methods used can be controlled with net >>>>>>>>>>>>>>>>> ads >>>>>>>>>>>>>>>>> enctypes. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> If i run (after kinit Administrator) >>>>>>>>>>>>>>>>> net ads enctypes list dc1$ >>>>>>>>>>>>>>>>> i get >>>>>>>>>>>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 >>>>>>>>>>>>>>>>> (0x0000001f) >>>>>>>>>>>>>>>>> [X] 0x00000001 DES-CBC-CRC >>>>>>>>>>>>>>>>> [X] 0x00000002 DES-CBC-MD5 >>>>>>>>>>>>>>>>> [X] 0x00000004 RC4-HMAC >>>>>>>>>>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>>>>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I get this as well. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> If i use >>>>>>>>>>>>>>>>> net ads enctypes list dc1.domain.local$ >>>>>>>>>>>>>>>>> i get >>>>>>>>>>>>>>>>> no account found with filter: >>>>>>>>>>>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$)) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Again, I get this as well. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar >>>>>>>>>>>>>>>>> algorythm and therefore does not find the account and >>>>>>>>>>>>>>>>> uses >>>>>>>>>>>>>>>>> des and arcfour keys per default. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>> To unsubscribe from this list go to the following URL and >>>>>>>>>>>>>>>>> read the instructions: >>>>>>>>>>>>>>>>> https://lists.samba.org/mailman/options/samba >>>>>>>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba> >>>>>>>>>>>>>>>> Mike >>>>>>>>>>>>>>> Try this >>>>>>>>>>>>>>> net ads enctypes set web-intranet-macmini 31 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Afterwards "domain export" will export also aes keys for >>>>>>>>>>>>>>> the >>>>>>>>>>>>>>> SPN's. >>>>>>>>>>>>>> And, this is why I addressed you as “experts” earlier. >>>>>>>>>>>>>> Indeed, >>>>>>>>>>>>>> it did! >>>>>>>>>>>>>> >>>>>>>>>>>>>> Now, I’m going to use ktutil to pull these into my existing >>>>>>>>>>>>>> keytab on the destination machine and begin my testing. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thank you tremendously (although I think we may have created >>>>>>>>>>>>>> hell for Rowland with the wiki documentation)! >>>>>>>>>>>>>> >>>>>>>>>>>>>> Mike >>>>>>>>>>>>> I was wondering about the missing aes keys for an while. So >>>>>>>>>>>>> thanks for bringing it up on the list. >>>>>>>>>>>>> >>>>>>>>>>>>> If an user gets created the attribute >>>>>>>>>>>>> msDS-SupportedEncryptionTypes remains undefined and in >>>>>>>>>>>>> this case >>>>>>>>>>>>> only des and rc4 keys are exported. >>>>>>>>>>>>> >>>>>>>>>>>>> net ads enctypes set [hostname] [key value] can be used to >>>>>>>>>>>>> define >>>>>>>>>>>>> the valid keys for an accound (and it's spn's). >>>>>>>>>>>>> >>>>>>>>>>>>> The key value is repesented as >>>>>>>>>>>>> 0x00000001 DES-CBC-CRC >>>>>>>>>>>>> 0x00000002 DES-CBC-MD5 >>>>>>>>>>>>> 0x00000004 RC4-HMAC >>>>>>>>>>>>> 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>>>>>>> 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>>>>>> (you mean, 0x00000016, for the last entry) >>>>>>>>>>>> >>>>>>>>>>>>> So using 31 enables all of them. samba-tool domain >>>>>>>>>>>>> exportkeytab >>>>>>>>>>>>> does always export des and rc4 keys but honours 0x8 for >>>>>>>>>>>>> aes128 >>>>>>>>>>>>> and 0x10 for aes256. I assume if enctypes are set to 24 for >>>>>>>>>>>>> example (only aes128/256) the server will honour this and >>>>>>>>>>>>> decline des and rc4 attempts. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> That’s interesting, indeed. >>>>>>>>>>>> >>>>>>>>>>>> Rowland— >>>>>>>>>>>> >>>>>>>>>>>> This whole thing seems to me like we are duplicating the >>>>>>>>>>>> functionality of the ktpass command on a Windows AD. With that >>>>>>>>>>>> command, one would need to include an encoding type, and >>>>>>>>>>>> I’m just >>>>>>>>>>>> wondering if it should be included in the wiki pages as well >>>>>>>>>>>> rather than trying to add it back manually after the export. >>>>>>>>>>>> Also, something tells me that the ktpass command, when >>>>>>>>>>>> creating >>>>>>>>>>>> the SPN for a user, also sets the required encoding type. >>>>>>>>>>>> >>>>>>>>>>>> Thoughts? >>>>>>>>>>>> >>>>>>>>>>>> Mike >>>>>>>>>>> The problem is the command 'samba-tool spn add' does just >>>>>>>>>>> that, it >>>>>>>>>>> only adds the 'servicePrincipalName', no enctypes are >>>>>>>>>>> mentioned. >>>>>>>>>>> >>>>>>>>>>> Exporting the keytab is the same, there is no mention of >>>>>>>>>>> enctypes >>>>>>>>>>> >>>>>>>>>>> So, until this changes, the wiki can only document what >>>>>>>>>>> actually >>>>>>>>>>> happens. >>>>>>>>>>> >>>>>>>>>>> Rowland >>>>>>>>>>> >>>>>>>>>> Hello Rowland, >>>>>>>>>> >>>>>>>>>> As I wrote before you can use the command >>>>>>>>>> >>>>>>>>>> net ads enctypes set [username] 31 >>>>>>>>>> >>>>>>>>>> to convince domain export to export also the aes keys for the >>>>>>>>>> SPN's >>>>>>>>>> assigned to [username] like it is done for [username]. >>>>>>>>>> If only aes keys are wanted in the keytab file unwanted keys >>>>>>>>>> can be >>>>>>>>>> removed from the keytab file with ktutil. >>>>>>>>>> >>>>>>>>>> See here for more info about "net ads enctypes" >>>>>>>>>> https://www.mail-archive.com/cifs-protocol at lists.samba.org/msg00062.html. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> It controls which encryption types are used for ticket >>>>>>>>>> generation >>>>>>>>>> on the server. >>>>>>>>>> >>>>>>>>>> achim~ >>>>>>>>> >>>>>>>>> I've been trying to follow this thread but admit I'm still >>>>>>>>> missing >>>>>>>>> something. Given the example below, what needs to be done to >>>>>>>>> get the >>>>>>>>> aes keys in the keytab, exactly? >>>>>>>>> >>>>>>>>> # net ads enctypes list hostname$ >>>>>>>>> 'hostname$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) >>>>>>>>> [X] 0x00000001 DES-CBC-CRC >>>>>>>>> [X] 0x00000002 DES-CBC-MD5 >>>>>>>>> [X] 0x00000004 RC4-HMAC >>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>>> >>>>>>>>> # samba-tool domain exportkeytab test --principal=hostname$ >>>>>>>>> >>>>>>>>> # klist -ke test >>>>>>>>> Keytab name: FILE:test >>>>>>>>> KVNO Principal >>>>>>>>> ---- >>>>>>>>> -------------------------------------------------------------------------- >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> 1 hostname$@EXAMPLE.COM (des-cbc-crc) >>>>>>>>> 1 hostname$@EXAMPLE.COM (des-cbc-md5) >>>>>>>>> 1 hostname$@EXAMPLE.COM (arcfour-hmac) >>>>>>>>> >>>>>>>> >>>>>>>> If I 'kinit Administrator' before running your commands as root >>>>>>>> on a >>>>>>>> DC, I get this: >>>>>>>> >>>>>>>> klist -ke devstation.keytab >>>>>>>> Keytab name: FILE:devstation.keytab >>>>>>>> KVNO Principal >>>>>>>> ---- >>>>>>>> -------------------------------------------------------------------------- >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (arcfour-hmac) >>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) >>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) >>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-md5) >>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-crc) >>>>>>>> >>>>>>>> Rowland >>>>>>> >>>>>>> Yeah, sorry, I should have specified that I did exactly that -- >>>>>>> 'kinit >>>>>>> Administrator' as root, on a DC -- followed by the sequence of >>>>>>> commands I listed. >>>>>>> >>>>>>> Hm ... would domain/forest functional level matter? we've never >>>>>>> bothered to raise ours from the default. >>>>>>> >>>>>> That's it. On my 4.2.10 server the domain and forest level was 2003 >>>>>> so i >>>>>> raised it to 2008 R2. Tested with an user account and at first it >>>>>> exported only des and rc4 keys. After setting the password for that >>>>>> user >>>>>> again (what rowland recommended in an other reply) it does now >>>>>> export >>>>>> aes keys for that user. For an computer account you may have to >>>>>> rejoin >>>>>> the computer to trigger the generation of an new password for that >>>>>> account immediate. >>>>>> >>>>> >>>>> Excellent, thanks. Indeed, it worked for me here, too, on a test >>>>> domain. One final (I think/hope) question: How might I deal with >>>>> password resets of the DC computer accounts themselves, to trigger >>>>> the creation of their AES keys? >>>>> >>>> The password is changed every 30 days by default if you did not >>>> disable it via gpo. >>>> https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/ >>>> >>>> >>>> See here how to reset the computer account passwords manualy. >>>> >>> For the samba dc's you can use >>> >>> samba-tool user setpassword hostname$ >> >> Heh, sheesh, embarrassing ... as easy as that. >> >> Thanks for your guidance! Rowland, thank you for chiming in as well! > Hmm, can be this does mess up replication. >Yes it does mess up replication! Do not use setpassword for the samba host !!! Glad I made an snapshot of my test vm before i tried it. It worked for an windows 7 client hosever the LDAP and cifs tickets where using aes256.