Am 17.09.2016 um 02:19 schrieb Achim Gottinger via samba:> > > Am 17.09.2016 um 01:23 schrieb Robert Moulton: >> Achim Gottinger via samba wrote on 9/16/16 4:14 PM: >>> >>> >>> Am 17.09.2016 um 00:54 schrieb Achim Gottinger via samba: >>>> >>>> >>>> Am 17.09.2016 um 00:29 schrieb Robert Moulton via samba: >>>>> Achim Gottinger via samba wrote on 9/16/16 3:05 PM: >>>>>> >>>>>> >>>>>> Am 16.09.2016 um 23:00 schrieb Robert Moulton via samba: >>>>>>> Rowland Penny via samba wrote on 9/16/16 1:43 PM: >>>>>>>> On Fri, 16 Sep 2016 13:00:52 -0700 >>>>>>>> Robert Moulton via samba <samba at lists.samba.org> wrote: >>>>>>>> >>>>>>>>> Achim Gottinger via samba wrote on 9/15/16 1:20 AM: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba: >>>>>>>>>>> On Wed, 14 Sep 2016 16:23:27 -0500 >>>>>>>>>>> Michael A Weber via samba <samba at lists.samba.org> wrote: >>>>>>>>>>> >>>>>>>>>>>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger >>>>>>>>>>>>> <achim at ag-web.biz> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber: >>>>>>>>>>>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger >>>>>>>>>>>>>>> <achim at ag-web.biz >>>>>>>>>>>>>>> <mailto:achim at ag-web.biz>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber: >>>>>>>>>>>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba >>>>>>>>>>>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> >>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber: >>>>>>>>>>>>>>>>>> Question though, just for my curiosity: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> The encryption algorithms specified after each SPN: >>>>>>>>>>>>>>>>>> I see >>>>>>>>>>>>>>>>>> that aes-256 is listed when I export the user, but >>>>>>>>>>>>>>>>>> not the >>>>>>>>>>>>>>>>>> SPN. Are those expected, or have I done something wrong >>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>> used incorrect algorithms somewhere? I recall reading >>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>> DES is not secure enough and that AES-256 (I think I >>>>>>>>>>>>>>>>>> read >>>>>>>>>>>>>>>>>> this during TLS enablement) is what should be used. >>>>>>>>>>>>>>>>> I get the same behaviour here. If i do nout use the >>>>>>>>>>>>>>>>> FQDN and >>>>>>>>>>>>>>>>> only the hostname without the domain part the aes keys >>>>>>>>>>>>>>>>> are >>>>>>>>>>>>>>>>> included. In your case --principal HTTP/intranet. >>>>>>>>>>>>>>>> So, now I’m a little more confused. I’ve added the SPN to >>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> user without the realm part, which succeeds. I listed >>>>>>>>>>>>>>>> it to >>>>>>>>>>>>>>>> verify, and it’s there (sanitized here): >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> samba-tool spn list web-intranet-macmini >>>>>>>>>>>>>>>> web-intranet-macmini >>>>>>>>>>>>>>>> User >>>>>>>>>>>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> has the following servicePrincipalName: >>>>>>>>>>>>>>>> HTTP/intranet.domain2.domain1.tld >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Then, if I go to export the keytab as you have indicated >>>>>>>>>>>>>>>> above >>>>>>>>>>>>>>>> with —principal=HTTP/intranet it errors: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab >>>>>>>>>>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught >>>>>>>>>>>>>>>> exception - >>>>>>>>>>>>>>>> Key table entry not found File >>>>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> line 175, in _run return self.run(*args, **kwargs) File >>>>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> line 129, in run net.export_keytab(keytab=keytab, >>>>>>>>>>>>>>>> principal=principal) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Should that command work? Or, was that for >>>>>>>>>>>>>>>> demonstration/explanation purposes only? I’m assuming it >>>>>>>>>>>>>>>> worked for you since you referenced my specific case. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I feel I’m missing something. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The encryption methods used can be controlled with net >>>>>>>>>>>>>>>>> ads >>>>>>>>>>>>>>>>> enctypes. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> If i run (after kinit Administrator) >>>>>>>>>>>>>>>>> net ads enctypes list dc1$ >>>>>>>>>>>>>>>>> i get >>>>>>>>>>>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 >>>>>>>>>>>>>>>>> (0x0000001f) >>>>>>>>>>>>>>>>> [X] 0x00000001 DES-CBC-CRC >>>>>>>>>>>>>>>>> [X] 0x00000002 DES-CBC-MD5 >>>>>>>>>>>>>>>>> [X] 0x00000004 RC4-HMAC >>>>>>>>>>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>>>>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I get this as well. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> If i use >>>>>>>>>>>>>>>>> net ads enctypes list dc1.domain.local$ >>>>>>>>>>>>>>>>> i get >>>>>>>>>>>>>>>>> no account found with filter: >>>>>>>>>>>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$)) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Again, I get this as well. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar >>>>>>>>>>>>>>>>> algorythm and therefore does not find the account and >>>>>>>>>>>>>>>>> uses >>>>>>>>>>>>>>>>> des and arcfour keys per default. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>> To unsubscribe from this list go to the following URL and >>>>>>>>>>>>>>>>> read the instructions: >>>>>>>>>>>>>>>>> https://lists.samba.org/mailman/options/samba >>>>>>>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba> >>>>>>>>>>>>>>>> Mike >>>>>>>>>>>>>>> Try this >>>>>>>>>>>>>>> net ads enctypes set web-intranet-macmini 31 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Afterwards "domain export" will export also aes keys for >>>>>>>>>>>>>>> the >>>>>>>>>>>>>>> SPN's. >>>>>>>>>>>>>> And, this is why I addressed you as “experts” earlier. >>>>>>>>>>>>>> Indeed, >>>>>>>>>>>>>> it did! >>>>>>>>>>>>>> >>>>>>>>>>>>>> Now, I’m going to use ktutil to pull these into my existing >>>>>>>>>>>>>> keytab on the destination machine and begin my testing. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thank you tremendously (although I think we may have created >>>>>>>>>>>>>> hell for Rowland with the wiki documentation)! >>>>>>>>>>>>>> >>>>>>>>>>>>>> Mike >>>>>>>>>>>>> I was wondering about the missing aes keys for an while. So >>>>>>>>>>>>> thanks for bringing it up on the list. >>>>>>>>>>>>> >>>>>>>>>>>>> If an user gets created the attribute >>>>>>>>>>>>> msDS-SupportedEncryptionTypes remains undefined and in >>>>>>>>>>>>> this case >>>>>>>>>>>>> only des and rc4 keys are exported. >>>>>>>>>>>>> >>>>>>>>>>>>> net ads enctypes set [hostname] [key value] can be used to >>>>>>>>>>>>> define >>>>>>>>>>>>> the valid keys for an accound (and it's spn's). >>>>>>>>>>>>> >>>>>>>>>>>>> The key value is repesented as >>>>>>>>>>>>> 0x00000001 DES-CBC-CRC >>>>>>>>>>>>> 0x00000002 DES-CBC-MD5 >>>>>>>>>>>>> 0x00000004 RC4-HMAC >>>>>>>>>>>>> 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>>>>>>> 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>>>>>> (you mean, 0x00000016, for the last entry) >>>>>>>>>>>> >>>>>>>>>>>>> So using 31 enables all of them. samba-tool domain >>>>>>>>>>>>> exportkeytab >>>>>>>>>>>>> does always export des and rc4 keys but honours 0x8 for >>>>>>>>>>>>> aes128 >>>>>>>>>>>>> and 0x10 for aes256. I assume if enctypes are set to 24 for >>>>>>>>>>>>> example (only aes128/256) the server will honour this and >>>>>>>>>>>>> decline des and rc4 attempts. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> That’s interesting, indeed. >>>>>>>>>>>> >>>>>>>>>>>> Rowland— >>>>>>>>>>>> >>>>>>>>>>>> This whole thing seems to me like we are duplicating the >>>>>>>>>>>> functionality of the ktpass command on a Windows AD. With that >>>>>>>>>>>> command, one would need to include an encoding type, and >>>>>>>>>>>> I’m just >>>>>>>>>>>> wondering if it should be included in the wiki pages as well >>>>>>>>>>>> rather than trying to add it back manually after the export. >>>>>>>>>>>> Also, something tells me that the ktpass command, when >>>>>>>>>>>> creating >>>>>>>>>>>> the SPN for a user, also sets the required encoding type. >>>>>>>>>>>> >>>>>>>>>>>> Thoughts? >>>>>>>>>>>> >>>>>>>>>>>> Mike >>>>>>>>>>> The problem is the command 'samba-tool spn add' does just >>>>>>>>>>> that, it >>>>>>>>>>> only adds the 'servicePrincipalName', no enctypes are >>>>>>>>>>> mentioned. >>>>>>>>>>> >>>>>>>>>>> Exporting the keytab is the same, there is no mention of >>>>>>>>>>> enctypes >>>>>>>>>>> >>>>>>>>>>> So, until this changes, the wiki can only document what >>>>>>>>>>> actually >>>>>>>>>>> happens. >>>>>>>>>>> >>>>>>>>>>> Rowland >>>>>>>>>>> >>>>>>>>>> Hello Rowland, >>>>>>>>>> >>>>>>>>>> As I wrote before you can use the command >>>>>>>>>> >>>>>>>>>> net ads enctypes set [username] 31 >>>>>>>>>> >>>>>>>>>> to convince domain export to export also the aes keys for the >>>>>>>>>> SPN's >>>>>>>>>> assigned to [username] like it is done for [username]. >>>>>>>>>> If only aes keys are wanted in the keytab file unwanted keys >>>>>>>>>> can be >>>>>>>>>> removed from the keytab file with ktutil. >>>>>>>>>> >>>>>>>>>> See here for more info about "net ads enctypes" >>>>>>>>>> https://www.mail-archive.com/cifs-protocol at lists.samba.org/msg00062.html. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> It controls which encryption types are used for ticket >>>>>>>>>> generation >>>>>>>>>> on the server. >>>>>>>>>> >>>>>>>>>> achim~ >>>>>>>>> >>>>>>>>> I've been trying to follow this thread but admit I'm still >>>>>>>>> missing >>>>>>>>> something. Given the example below, what needs to be done to >>>>>>>>> get the >>>>>>>>> aes keys in the keytab, exactly? >>>>>>>>> >>>>>>>>> # net ads enctypes list hostname$ >>>>>>>>> 'hostname$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) >>>>>>>>> [X] 0x00000001 DES-CBC-CRC >>>>>>>>> [X] 0x00000002 DES-CBC-MD5 >>>>>>>>> [X] 0x00000004 RC4-HMAC >>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>>> >>>>>>>>> # samba-tool domain exportkeytab test --principal=hostname$ >>>>>>>>> >>>>>>>>> # klist -ke test >>>>>>>>> Keytab name: FILE:test >>>>>>>>> KVNO Principal >>>>>>>>> ---- >>>>>>>>> -------------------------------------------------------------------------- >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> 1 hostname$@EXAMPLE.COM (des-cbc-crc) >>>>>>>>> 1 hostname$@EXAMPLE.COM (des-cbc-md5) >>>>>>>>> 1 hostname$@EXAMPLE.COM (arcfour-hmac) >>>>>>>>> >>>>>>>> >>>>>>>> If I 'kinit Administrator' before running your commands as root >>>>>>>> on a >>>>>>>> DC, I get this: >>>>>>>> >>>>>>>> klist -ke devstation.keytab >>>>>>>> Keytab name: FILE:devstation.keytab >>>>>>>> KVNO Principal >>>>>>>> ---- >>>>>>>> -------------------------------------------------------------------------- >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (arcfour-hmac) >>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) >>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) >>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-md5) >>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-crc) >>>>>>>> >>>>>>>> Rowland >>>>>>> >>>>>>> Yeah, sorry, I should have specified that I did exactly that -- >>>>>>> 'kinit >>>>>>> Administrator' as root, on a DC -- followed by the sequence of >>>>>>> commands I listed. >>>>>>> >>>>>>> Hm ... would domain/forest functional level matter? we've never >>>>>>> bothered to raise ours from the default. >>>>>>> >>>>>> That's it. On my 4.2.10 server the domain and forest level was 2003 >>>>>> so i >>>>>> raised it to 2008 R2. Tested with an user account and at first it >>>>>> exported only des and rc4 keys. After setting the password for that >>>>>> user >>>>>> again (what rowland recommended in an other reply) it does now >>>>>> export >>>>>> aes keys for that user. For an computer account you may have to >>>>>> rejoin >>>>>> the computer to trigger the generation of an new password for that >>>>>> account immediate. >>>>>> >>>>> >>>>> Excellent, thanks. Indeed, it worked for me here, too, on a test >>>>> domain. One final (I think/hope) question: How might I deal with >>>>> password resets of the DC computer accounts themselves, to trigger >>>>> the creation of their AES keys? >>>>> >>>> The password is changed every 30 days by default if you did not >>>> disable it via gpo. >>>> https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/ >>>> >>>> >>>> See here how to reset the computer account passwords manualy. >>>> >>> For the samba dc's you can use >>> >>> samba-tool user setpassword hostname$ >> >> Heh, sheesh, embarrassing ... as easy as that. >> >> Thanks for your guidance! Rowland, thank you for chiming in as well! > Hmm, can be this does mess up replication. >Yes it does mess up replication! Do not use setpassword for the samba host !!! Glad I made an snapshot of my test vm before i tried it. It worked for an windows 7 client hosever the LDAP and cifs tickets where using aes256.
Am 17.09.2016 um 02:36 schrieb Achim Gottinger via samba:> > > Am 17.09.2016 um 02:19 schrieb Achim Gottinger via samba: >> >> >> Am 17.09.2016 um 01:23 schrieb Robert Moulton: >>> Achim Gottinger via samba wrote on 9/16/16 4:14 PM: >>>> >>>> >>>> Am 17.09.2016 um 00:54 schrieb Achim Gottinger via samba: >>>>> >>>>> >>>>> Am 17.09.2016 um 00:29 schrieb Robert Moulton via samba: >>>>>> Achim Gottinger via samba wrote on 9/16/16 3:05 PM: >>>>>>> >>>>>>> >>>>>>> Am 16.09.2016 um 23:00 schrieb Robert Moulton via samba: >>>>>>>> Rowland Penny via samba wrote on 9/16/16 1:43 PM: >>>>>>>>> On Fri, 16 Sep 2016 13:00:52 -0700 >>>>>>>>> Robert Moulton via samba <samba at lists.samba.org> wrote: >>>>>>>>> >>>>>>>>>> Achim Gottinger via samba wrote on 9/15/16 1:20 AM: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba: >>>>>>>>>>>> On Wed, 14 Sep 2016 16:23:27 -0500 >>>>>>>>>>>> Michael A Weber via samba <samba at lists.samba.org> wrote: >>>>>>>>>>>> >>>>>>>>>>>>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger >>>>>>>>>>>>>> <achim at ag-web.biz> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber: >>>>>>>>>>>>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger >>>>>>>>>>>>>>>> <achim at ag-web.biz >>>>>>>>>>>>>>>> <mailto:achim at ag-web.biz>> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber: >>>>>>>>>>>>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba >>>>>>>>>>>>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> >>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber: >>>>>>>>>>>>>>>>>>> Question though, just for my curiosity: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> The encryption algorithms specified after each SPN: >>>>>>>>>>>>>>>>>>> I see >>>>>>>>>>>>>>>>>>> that aes-256 is listed when I export the user, but >>>>>>>>>>>>>>>>>>> not the >>>>>>>>>>>>>>>>>>> SPN. Are those expected, or have I done something >>>>>>>>>>>>>>>>>>> wrong >>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>> used incorrect algorithms somewhere? I recall >>>>>>>>>>>>>>>>>>> reading that >>>>>>>>>>>>>>>>>>> DES is not secure enough and that AES-256 (I think I >>>>>>>>>>>>>>>>>>> read >>>>>>>>>>>>>>>>>>> this during TLS enablement) is what should be used. >>>>>>>>>>>>>>>>>> I get the same behaviour here. If i do nout use the >>>>>>>>>>>>>>>>>> FQDN and >>>>>>>>>>>>>>>>>> only the hostname without the domain part the aes >>>>>>>>>>>>>>>>>> keys are >>>>>>>>>>>>>>>>>> included. In your case --principal HTTP/intranet. >>>>>>>>>>>>>>>>> So, now I’m a little more confused. I’ve added the SPN to >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> user without the realm part, which succeeds. I listed >>>>>>>>>>>>>>>>> it to >>>>>>>>>>>>>>>>> verify, and it’s there (sanitized here): >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> samba-tool spn list web-intranet-macmini >>>>>>>>>>>>>>>>> web-intranet-macmini >>>>>>>>>>>>>>>>> User >>>>>>>>>>>>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> has the following servicePrincipalName: >>>>>>>>>>>>>>>>> HTTP/intranet.domain2.domain1.tld >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Then, if I go to export the keytab as you have indicated >>>>>>>>>>>>>>>>> above >>>>>>>>>>>>>>>>> with —principal=HTTP/intranet it errors: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab >>>>>>>>>>>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught >>>>>>>>>>>>>>>>> exception - >>>>>>>>>>>>>>>>> Key table entry not found File >>>>>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> line 175, in _run return self.run(*args, **kwargs) File >>>>>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> line 129, in run net.export_keytab(keytab=keytab, >>>>>>>>>>>>>>>>> principal=principal) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Should that command work? Or, was that for >>>>>>>>>>>>>>>>> demonstration/explanation purposes only? I’m assuming it >>>>>>>>>>>>>>>>> worked for you since you referenced my specific case. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I feel I’m missing something. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> The encryption methods used can be controlled with >>>>>>>>>>>>>>>>>> net ads >>>>>>>>>>>>>>>>>> enctypes. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> If i run (after kinit Administrator) >>>>>>>>>>>>>>>>>> net ads enctypes list dc1$ >>>>>>>>>>>>>>>>>> i get >>>>>>>>>>>>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 >>>>>>>>>>>>>>>>>> (0x0000001f) >>>>>>>>>>>>>>>>>> [X] 0x00000001 DES-CBC-CRC >>>>>>>>>>>>>>>>>> [X] 0x00000002 DES-CBC-MD5 >>>>>>>>>>>>>>>>>> [X] 0x00000004 RC4-HMAC >>>>>>>>>>>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>>>>>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I get this as well. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> If i use >>>>>>>>>>>>>>>>>> net ads enctypes list dc1.domain.local$ >>>>>>>>>>>>>>>>>> i get >>>>>>>>>>>>>>>>>> no account found with filter: >>>>>>>>>>>>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$)) >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Again, I get this as well. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar >>>>>>>>>>>>>>>>>> algorythm and therefore does not find the account and >>>>>>>>>>>>>>>>>> uses >>>>>>>>>>>>>>>>>> des and arcfour keys per default. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>> To unsubscribe from this list go to the following URL >>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>> read the instructions: >>>>>>>>>>>>>>>>>> https://lists.samba.org/mailman/options/samba >>>>>>>>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba> >>>>>>>>>>>>>>>>> Mike >>>>>>>>>>>>>>>> Try this >>>>>>>>>>>>>>>> net ads enctypes set web-intranet-macmini 31 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Afterwards "domain export" will export also aes keys >>>>>>>>>>>>>>>> for the >>>>>>>>>>>>>>>> SPN's. >>>>>>>>>>>>>>> And, this is why I addressed you as “experts” earlier. >>>>>>>>>>>>>>> Indeed, >>>>>>>>>>>>>>> it did! >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Now, I’m going to use ktutil to pull these into my existing >>>>>>>>>>>>>>> keytab on the destination machine and begin my testing. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thank you tremendously (although I think we may have >>>>>>>>>>>>>>> created >>>>>>>>>>>>>>> hell for Rowland with the wiki documentation)! >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Mike >>>>>>>>>>>>>> I was wondering about the missing aes keys for an while. So >>>>>>>>>>>>>> thanks for bringing it up on the list. >>>>>>>>>>>>>> >>>>>>>>>>>>>> If an user gets created the attribute >>>>>>>>>>>>>> msDS-SupportedEncryptionTypes remains undefined and in >>>>>>>>>>>>>> this case >>>>>>>>>>>>>> only des and rc4 keys are exported. >>>>>>>>>>>>>> >>>>>>>>>>>>>> net ads enctypes set [hostname] [key value] can be used to >>>>>>>>>>>>>> define >>>>>>>>>>>>>> the valid keys for an accound (and it's spn's). >>>>>>>>>>>>>> >>>>>>>>>>>>>> The key value is repesented as >>>>>>>>>>>>>> 0x00000001 DES-CBC-CRC >>>>>>>>>>>>>> 0x00000002 DES-CBC-MD5 >>>>>>>>>>>>>> 0x00000004 RC4-HMAC >>>>>>>>>>>>>> 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>>>>>>>> 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>>>>>>> (you mean, 0x00000016, for the last entry) >>>>>>>>>>>>> >>>>>>>>>>>>>> So using 31 enables all of them. samba-tool domain >>>>>>>>>>>>>> exportkeytab >>>>>>>>>>>>>> does always export des and rc4 keys but honours 0x8 for >>>>>>>>>>>>>> aes128 >>>>>>>>>>>>>> and 0x10 for aes256. I assume if enctypes are set to 24 for >>>>>>>>>>>>>> example (only aes128/256) the server will honour this and >>>>>>>>>>>>>> decline des and rc4 attempts. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> That’s interesting, indeed. >>>>>>>>>>>>> >>>>>>>>>>>>> Rowland— >>>>>>>>>>>>> >>>>>>>>>>>>> This whole thing seems to me like we are duplicating the >>>>>>>>>>>>> functionality of the ktpass command on a Windows AD. With >>>>>>>>>>>>> that >>>>>>>>>>>>> command, one would need to include an encoding type, and >>>>>>>>>>>>> I’m just >>>>>>>>>>>>> wondering if it should be included in the wiki pages as well >>>>>>>>>>>>> rather than trying to add it back manually after the export. >>>>>>>>>>>>> Also, something tells me that the ktpass command, when >>>>>>>>>>>>> creating >>>>>>>>>>>>> the SPN for a user, also sets the required encoding type. >>>>>>>>>>>>> >>>>>>>>>>>>> Thoughts? >>>>>>>>>>>>> >>>>>>>>>>>>> Mike >>>>>>>>>>>> The problem is the command 'samba-tool spn add' does just >>>>>>>>>>>> that, it >>>>>>>>>>>> only adds the 'servicePrincipalName', no enctypes are >>>>>>>>>>>> mentioned. >>>>>>>>>>>> >>>>>>>>>>>> Exporting the keytab is the same, there is no mention of >>>>>>>>>>>> enctypes >>>>>>>>>>>> >>>>>>>>>>>> So, until this changes, the wiki can only document what >>>>>>>>>>>> actually >>>>>>>>>>>> happens. >>>>>>>>>>>> >>>>>>>>>>>> Rowland >>>>>>>>>>>> >>>>>>>>>>> Hello Rowland, >>>>>>>>>>> >>>>>>>>>>> As I wrote before you can use the command >>>>>>>>>>> >>>>>>>>>>> net ads enctypes set [username] 31 >>>>>>>>>>> >>>>>>>>>>> to convince domain export to export also the aes keys for >>>>>>>>>>> the SPN's >>>>>>>>>>> assigned to [username] like it is done for [username]. >>>>>>>>>>> If only aes keys are wanted in the keytab file unwanted keys >>>>>>>>>>> can be >>>>>>>>>>> removed from the keytab file with ktutil. >>>>>>>>>>> >>>>>>>>>>> See here for more info about "net ads enctypes" >>>>>>>>>>> https://www.mail-archive.com/cifs-protocol at lists.samba.org/msg00062.html. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> It controls which encryption types are used for ticket >>>>>>>>>>> generation >>>>>>>>>>> on the server. >>>>>>>>>>> >>>>>>>>>>> achim~ >>>>>>>>>> >>>>>>>>>> I've been trying to follow this thread but admit I'm still >>>>>>>>>> missing >>>>>>>>>> something. Given the example below, what needs to be done to >>>>>>>>>> get the >>>>>>>>>> aes keys in the keytab, exactly? >>>>>>>>>> >>>>>>>>>> # net ads enctypes list hostname$ >>>>>>>>>> 'hostname$' uses "msDS-SupportedEncryptionTypes": 31 >>>>>>>>>> (0x0000001f) >>>>>>>>>> [X] 0x00000001 DES-CBC-CRC >>>>>>>>>> [X] 0x00000002 DES-CBC-MD5 >>>>>>>>>> [X] 0x00000004 RC4-HMAC >>>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>>>> >>>>>>>>>> # samba-tool domain exportkeytab test --principal=hostname$ >>>>>>>>>> >>>>>>>>>> # klist -ke test >>>>>>>>>> Keytab name: FILE:test >>>>>>>>>> KVNO Principal >>>>>>>>>> ---- >>>>>>>>>> -------------------------------------------------------------------------- >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 1 hostname$@EXAMPLE.COM (des-cbc-crc) >>>>>>>>>> 1 hostname$@EXAMPLE.COM (des-cbc-md5) >>>>>>>>>> 1 hostname$@EXAMPLE.COM (arcfour-hmac) >>>>>>>>>> >>>>>>>>> >>>>>>>>> If I 'kinit Administrator' before running your commands as >>>>>>>>> root on a >>>>>>>>> DC, I get this: >>>>>>>>> >>>>>>>>> klist -ke devstation.keytab >>>>>>>>> Keytab name: FILE:devstation.keytab >>>>>>>>> KVNO Principal >>>>>>>>> ---- >>>>>>>>> -------------------------------------------------------------------------- >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (arcfour-hmac) >>>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) >>>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) >>>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-md5) >>>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-crc) >>>>>>>>> >>>>>>>>> Rowland >>>>>>>> >>>>>>>> Yeah, sorry, I should have specified that I did exactly that -- >>>>>>>> 'kinit >>>>>>>> Administrator' as root, on a DC -- followed by the sequence of >>>>>>>> commands I listed. >>>>>>>> >>>>>>>> Hm ... would domain/forest functional level matter? we've never >>>>>>>> bothered to raise ours from the default. >>>>>>>> >>>>>>> That's it. On my 4.2.10 server the domain and forest level was 2003 >>>>>>> so i >>>>>>> raised it to 2008 R2. Tested with an user account and at first it >>>>>>> exported only des and rc4 keys. After setting the password for that >>>>>>> user >>>>>>> again (what rowland recommended in an other reply) it does now >>>>>>> export >>>>>>> aes keys for that user. For an computer account you may have to >>>>>>> rejoin >>>>>>> the computer to trigger the generation of an new password for that >>>>>>> account immediate. >>>>>>> >>>>>> >>>>>> Excellent, thanks. Indeed, it worked for me here, too, on a test >>>>>> domain. One final (I think/hope) question: How might I deal with >>>>>> password resets of the DC computer accounts themselves, to trigger >>>>>> the creation of their AES keys? >>>>>> >>>>> The password is changed every 30 days by default if you did not >>>>> disable it via gpo. >>>>> https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/ >>>>> >>>>> >>>>> See here how to reset the computer account passwords manualy. >>>>> >>>> For the samba dc's you can use >>>> >>>> samba-tool user setpassword hostname$ >>> >>> Heh, sheesh, embarrassing ... as easy as that. >>> >>> Thanks for your guidance! Rowland, thank you for chiming in as well! >> Hmm, can be this does mess up replication. >> > Yes it does mess up replication! Do not use setpassword for the samba > host !!! > Glad I made an snapshot of my test vm before i tried it. > It worked for an windows 7 client hosever the LDAP and cifs tickets > where using aes256Reading https://wiki.samba.org/index.php/Keytab_Extraction ----- snip ---------------- Offline Keytab Creation from Secrets.tdb If the net command fails (after all, that could be the reason for us to start sniffing...), you can still generate a keytab without domain admin credentials, if you can get a hold on the server's secrets.tdb. This method can also be done offline on a different machine. tdbdump secrets.tdb Now look for the key SECRETS/MACHINE_PASSWORD/<domain> - the password is the value without the trailing zero. Use the *ktutil* utility to construct the keytab: ------ snap ------------- We do not use ktutil but use the password mentioned here for the "samba-tool user setpassword hostname$" command. This does not break replication and the aes keys are exported.
On Fri, Sep 16, 2016 at 6:08 PM, Achim Gottinger via samba <samba at lists.samba.org> wrote:> > > Am 17.09.2016 um 02:36 schrieb Achim Gottinger via samba: >> >> >> >> Am 17.09.2016 um 02:19 schrieb Achim Gottinger via samba: >>> >>> >>> >>> Am 17.09.2016 um 01:23 schrieb Robert Moulton: >>>> >>>> Achim Gottinger via samba wrote on 9/16/16 4:14 PM: >>>>> >>>>> >>>>> >>>>> Am 17.09.2016 um 00:54 schrieb Achim Gottinger via samba: >>>>>> >>>>>> >>>>>> >>>>>> Am 17.09.2016 um 00:29 schrieb Robert Moulton via samba: >>>>>>> >>>>>>> Achim Gottinger via samba wrote on 9/16/16 3:05 PM: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Am 16.09.2016 um 23:00 schrieb Robert Moulton via samba: >>>>>>>>> >>>>>>>>> Rowland Penny via samba wrote on 9/16/16 1:43 PM: >>>>>>>>>> >>>>>>>>>> On Fri, 16 Sep 2016 13:00:52 -0700 >>>>>>>>>> Robert Moulton via samba <samba at lists.samba.org> wrote: >>>>>>>>>> >>>>>>>>>>> Achim Gottinger via samba wrote on 9/15/16 1:20 AM: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Am 15.09.2016 um 09:35 schrieb Rowland Penny via samba: >>>>>>>>>>>>> >>>>>>>>>>>>> On Wed, 14 Sep 2016 16:23:27 -0500 >>>>>>>>>>>>> Michael A Weber via samba <samba at lists.samba.org> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>>> On Sep 14, 2016, at 2:00 PM, Achim Gottinger >>>>>>>>>>>>>>> <achim at ag-web.biz> >>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Am 14.09.2016 um 20:33 schrieb Michael A Weber: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger >>>>>>>>>>>>>>>>> <achim at ag-web.biz >>>>>>>>>>>>>>>>> <mailto:achim at ag-web.biz>> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Am 14.09.2016 um 19:53 schrieb Michael A Weber: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba >>>>>>>>>>>>>>>>>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> >>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Am 14.09.2016 um 18:23 schrieb Michael A Weber: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Question though, just for my curiosity: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> The encryption algorithms specified after each SPN: I >>>>>>>>>>>>>>>>>>>> see >>>>>>>>>>>>>>>>>>>> that aes-256 is listed when I export the user, but not >>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>> SPN. Are those expected, or have I done something wrong >>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>> used incorrect algorithms somewhere? I recall reading >>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>> DES is not secure enough and that AES-256 (I think I >>>>>>>>>>>>>>>>>>>> read >>>>>>>>>>>>>>>>>>>> this during TLS enablement) is what should be used. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I get the same behaviour here. If i do nout use the FQDN >>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>> only the hostname without the domain part the aes keys >>>>>>>>>>>>>>>>>>> are >>>>>>>>>>>>>>>>>>> included. In your case --principal HTTP/intranet. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> So, now I’m a little more confused. I’ve added the SPN to >>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>> user without the realm part, which succeeds. I listed it >>>>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>>>> verify, and it’s there (sanitized here): >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> samba-tool spn list web-intranet-macmini >>>>>>>>>>>>>>>>>> web-intranet-macmini >>>>>>>>>>>>>>>>>> User >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld >>>>>>>>>>>>>>>>>> has the following servicePrincipalName: >>>>>>>>>>>>>>>>>> HTTP/intranet.domain2.domain1.tld >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Then, if I go to export the keytab as you have indicated >>>>>>>>>>>>>>>>>> above >>>>>>>>>>>>>>>>>> with —principal=HTTP/intranet it errors: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab >>>>>>>>>>>>>>>>>> --principal=HTTP/intranet ERROR(runtime): uncaught >>>>>>>>>>>>>>>>>> exception - >>>>>>>>>>>>>>>>>> Key table entry not found File >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> line 175, in _run return self.run(*args, **kwargs) File >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", >>>>>>>>>>>>>>>>>> line 129, in run net.export_keytab(keytab=keytab, >>>>>>>>>>>>>>>>>> principal=principal) >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Should that command work? Or, was that for >>>>>>>>>>>>>>>>>> demonstration/explanation purposes only? I’m assuming it >>>>>>>>>>>>>>>>>> worked for you since you referenced my specific case. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I feel I’m missing something. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> The encryption methods used can be controlled with net >>>>>>>>>>>>>>>>>>> ads >>>>>>>>>>>>>>>>>>> enctypes. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> If i run (after kinit Administrator) >>>>>>>>>>>>>>>>>>> net ads enctypes list dc1$ >>>>>>>>>>>>>>>>>>> i get >>>>>>>>>>>>>>>>>>> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 >>>>>>>>>>>>>>>>>>> (0x0000001f) >>>>>>>>>>>>>>>>>>> [X] 0x00000001 DES-CBC-CRC >>>>>>>>>>>>>>>>>>> [X] 0x00000002 DES-CBC-MD5 >>>>>>>>>>>>>>>>>>> [X] 0x00000004 RC4-HMAC >>>>>>>>>>>>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>>>>>>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I get this as well. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> If i use >>>>>>>>>>>>>>>>>>> net ads enctypes list dc1.domain.local$ >>>>>>>>>>>>>>>>>>> i get >>>>>>>>>>>>>>>>>>> no account found with filter: >>>>>>>>>>>>>>>>>>> (&(objectclass=user)(sAMAccountName=dc1.domain.local$)) >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Again, I get this as well. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Seems "samba-tool domain exportkeytab" uses an similar >>>>>>>>>>>>>>>>>>> algorythm and therefore does not find the account and >>>>>>>>>>>>>>>>>>> uses >>>>>>>>>>>>>>>>>>> des and arcfour keys per default. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>> To unsubscribe from this list go to the following URL and >>>>>>>>>>>>>>>>>>> read the instructions: >>>>>>>>>>>>>>>>>>> https://lists.samba.org/mailman/options/samba >>>>>>>>>>>>>>>>>>> <https://lists.samba.org/mailman/options/samba> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Mike >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Try this >>>>>>>>>>>>>>>>> net ads enctypes set web-intranet-macmini 31 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Afterwards "domain export" will export also aes keys for >>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> SPN's. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> And, this is why I addressed you as “experts” earlier. >>>>>>>>>>>>>>>> Indeed, >>>>>>>>>>>>>>>> it did! >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Now, I’m going to use ktutil to pull these into my existing >>>>>>>>>>>>>>>> keytab on the destination machine and begin my testing. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thank you tremendously (although I think we may have created >>>>>>>>>>>>>>>> hell for Rowland with the wiki documentation)! >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Mike >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I was wondering about the missing aes keys for an while. So >>>>>>>>>>>>>>> thanks for bringing it up on the list. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> If an user gets created the attribute >>>>>>>>>>>>>>> msDS-SupportedEncryptionTypes remains undefined and in this >>>>>>>>>>>>>>> case >>>>>>>>>>>>>>> only des and rc4 keys are exported. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> net ads enctypes set [hostname] [key value] can be used to >>>>>>>>>>>>>>> define >>>>>>>>>>>>>>> the valid keys for an accound (and it's spn's). >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The key value is repesented as >>>>>>>>>>>>>>> 0x00000001 DES-CBC-CRC >>>>>>>>>>>>>>> 0x00000002 DES-CBC-MD5 >>>>>>>>>>>>>>> 0x00000004 RC4-HMAC >>>>>>>>>>>>>>> 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>>>>>>>>> 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>>>>>>>> >>>>>>>>>>>>>> (you mean, 0x00000016, for the last entry) >>>>>>>>>>>>>> >>>>>>>>>>>>>>> So using 31 enables all of them. samba-tool domain >>>>>>>>>>>>>>> exportkeytab >>>>>>>>>>>>>>> does always export des and rc4 keys but honours 0x8 for >>>>>>>>>>>>>>> aes128 >>>>>>>>>>>>>>> and 0x10 for aes256. I assume if enctypes are set to 24 for >>>>>>>>>>>>>>> example (only aes128/256) the server will honour this and >>>>>>>>>>>>>>> decline des and rc4 attempts. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> That’s interesting, indeed. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Rowland— >>>>>>>>>>>>>> >>>>>>>>>>>>>> This whole thing seems to me like we are duplicating the >>>>>>>>>>>>>> functionality of the ktpass command on a Windows AD. With that >>>>>>>>>>>>>> command, one would need to include an encoding type, and I’m >>>>>>>>>>>>>> just >>>>>>>>>>>>>> wondering if it should be included in the wiki pages as well >>>>>>>>>>>>>> rather than trying to add it back manually after the export. >>>>>>>>>>>>>> Also, something tells me that the ktpass command, when >>>>>>>>>>>>>> creating >>>>>>>>>>>>>> the SPN for a user, also sets the required encoding type. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thoughts? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Mike >>>>>>>>>>>>> >>>>>>>>>>>>> The problem is the command 'samba-tool spn add' does just that, >>>>>>>>>>>>> it >>>>>>>>>>>>> only adds the 'servicePrincipalName', no enctypes are >>>>>>>>>>>>> mentioned. >>>>>>>>>>>>> >>>>>>>>>>>>> Exporting the keytab is the same, there is no mention of >>>>>>>>>>>>> enctypes >>>>>>>>>>>>> >>>>>>>>>>>>> So, until this changes, the wiki can only document what >>>>>>>>>>>>> actually >>>>>>>>>>>>> happens. >>>>>>>>>>>>> >>>>>>>>>>>>> Rowland >>>>>>>>>>>>> >>>>>>>>>>>> Hello Rowland, >>>>>>>>>>>> >>>>>>>>>>>> As I wrote before you can use the command >>>>>>>>>>>> >>>>>>>>>>>> net ads enctypes set [username] 31 >>>>>>>>>>>> >>>>>>>>>>>> to convince domain export to export also the aes keys for the >>>>>>>>>>>> SPN's >>>>>>>>>>>> assigned to [username] like it is done for [username]. >>>>>>>>>>>> If only aes keys are wanted in the keytab file unwanted keys can >>>>>>>>>>>> be >>>>>>>>>>>> removed from the keytab file with ktutil. >>>>>>>>>>>> >>>>>>>>>>>> See here for more info about "net ads enctypes" >>>>>>>>>>>> >>>>>>>>>>>> https://www.mail-archive.com/cifs-protocol at lists.samba.org/msg00062.html. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> It controls which encryption types are used for ticket >>>>>>>>>>>> generation >>>>>>>>>>>> on the server. >>>>>>>>>>>> >>>>>>>>>>>> achim~ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I've been trying to follow this thread but admit I'm still >>>>>>>>>>> missing >>>>>>>>>>> something. Given the example below, what needs to be done to get >>>>>>>>>>> the >>>>>>>>>>> aes keys in the keytab, exactly? >>>>>>>>>>> >>>>>>>>>>> # net ads enctypes list hostname$ >>>>>>>>>>> 'hostname$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) >>>>>>>>>>> [X] 0x00000001 DES-CBC-CRC >>>>>>>>>>> [X] 0x00000002 DES-CBC-MD5 >>>>>>>>>>> [X] 0x00000004 RC4-HMAC >>>>>>>>>>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96 >>>>>>>>>>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96 >>>>>>>>>>> >>>>>>>>>>> # samba-tool domain exportkeytab test --principal=hostname$ >>>>>>>>>>> >>>>>>>>>>> # klist -ke test >>>>>>>>>>> Keytab name: FILE:test >>>>>>>>>>> KVNO Principal >>>>>>>>>>> ---- >>>>>>>>>>> >>>>>>>>>>> -------------------------------------------------------------------------- >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 1 hostname$@EXAMPLE.COM (des-cbc-crc) >>>>>>>>>>> 1 hostname$@EXAMPLE.COM (des-cbc-md5) >>>>>>>>>>> 1 hostname$@EXAMPLE.COM (arcfour-hmac) >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> If I 'kinit Administrator' before running your commands as root on >>>>>>>>>> a >>>>>>>>>> DC, I get this: >>>>>>>>>> >>>>>>>>>> klist -ke devstation.keytab >>>>>>>>>> Keytab name: FILE:devstation.keytab >>>>>>>>>> KVNO Principal >>>>>>>>>> ---- >>>>>>>>>> >>>>>>>>>> -------------------------------------------------------------------------- >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (arcfour-hmac) >>>>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) >>>>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) >>>>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-md5) >>>>>>>>>> 1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-crc) >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>> >>>>>>>>> >>>>>>>>> Yeah, sorry, I should have specified that I did exactly that -- >>>>>>>>> 'kinit >>>>>>>>> Administrator' as root, on a DC -- followed by the sequence of >>>>>>>>> commands I listed. >>>>>>>>> >>>>>>>>> Hm ... would domain/forest functional level matter? we've never >>>>>>>>> bothered to raise ours from the default. >>>>>>>>> >>>>>>>> That's it. On my 4.2.10 server the domain and forest level was 2003 >>>>>>>> so i >>>>>>>> raised it to 2008 R2. Tested with an user account and at first it >>>>>>>> exported only des and rc4 keys. After setting the password for that >>>>>>>> user >>>>>>>> again (what rowland recommended in an other reply) it does now >>>>>>>> export >>>>>>>> aes keys for that user. For an computer account you may have to >>>>>>>> rejoin >>>>>>>> the computer to trigger the generation of an new password for that >>>>>>>> account immediate. >>>>>>>> >>>>>>> >>>>>>> Excellent, thanks. Indeed, it worked for me here, too, on a test >>>>>>> domain. One final (I think/hope) question: How might I deal with >>>>>>> password resets of the DC computer accounts themselves, to trigger >>>>>>> the creation of their AES keys? >>>>>>> >>>>>> The password is changed every 30 days by default if you did not >>>>>> disable it via gpo. >>>>>> >>>>>> https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/ >>>>>> >>>>>> See here how to reset the computer account passwords manualy. >>>>>> >>>>> For the samba dc's you can use >>>>> >>>>> samba-tool user setpassword hostname$ >>>> >>>> >>>> Heh, sheesh, embarrassing ... as easy as that. >>>> >>>> Thanks for your guidance! Rowland, thank you for chiming in as well! >>> >>> Hmm, can be this does mess up replication. >>> >> Yes it does mess up replication! Do not use setpassword for the samba host >> !!! >> Glad I made an snapshot of my test vm before i tried it. >> It worked for an windows 7 client hosever the LDAP and cifs tickets where >> using aes256 > > > Reading https://wiki.samba.org/index.php/Keytab_Extraction > ----- snip ---------------- > Offline Keytab Creation from Secrets.tdb > > If the net command fails (after all, that could be the reason for us to > start sniffing...), you can still generate a keytab without domain admin > credentials, if you can get a hold on the server's secrets.tdb. This method > can also be done offline on a different machine. > > tdbdump secrets.tdb > > Now look for the key SECRETS/MACHINE_PASSWORD/<domain> - the password is the > value without the trailing zero. Use the *ktutil* utility to construct the > keytab: > ------ snap ------------- > > We do not use ktutil but use the password mentioned here for the "samba-tool > user setpassword hostname$" command. > > This does not break replication and the aes keys are exported.Ah, okay, I think I've got it, for my production domain: - step 1: use the above tdbdump trick to identify the existing password - step 2: use samba-tool to "reset" the password to the same value I already reset the password of the single DC in my test domain. Without other DCs in the picture there's effectively no harm done, right? I do have a fairly recent samba_backup dump to use, if necessary.