Am 29.04.2019 um 12:55 schrieb L.P.H. van Belle via
samba:> Hai,
>
> Thats a strange one..
>
>> This is correct: 'dns-dc2' uses
"msDS-SupportedEncryptionTypes": 31 (0x0000001f)
> Try this first.
> sudo samba-tool domain exportkeytab dns.keytab --principal=dns-dc2
Same result. Cheers,
Christian
>
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Christian via samba
>> Verzonden: maandag 29 april 2019 12:30
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] missing enctypes in exported keytab
>>
>> Dear all,
>>
>> this is using debian stretch and Louis' 4.8.11 packages. I am
>> trying to
>> export a keytab, and even for a UPN, samba does not export
>> the AES keys.
>> What could be the mistake?
>>
>> root at dc2:~# net ads enctypes list dns-dc2
>> 'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31
(0x0000001f)
>> [X] 0x00000001 DES-CBC-CRC
>> [X] 0x00000002 DES-CBC-MD5
>> [X] 0x00000004 RC4-HMAC
>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>> root at dc2:~# rm dns.keytab
>> rm: remove regular file 'dns.keytab'? y
>> root at dc2:~# samba-tool domain exportkeytab --principal=dns-dc2 \\
>> dns.keytab
>> Export one principal to dns.keytab
>> root at dc2:~# klist -ke dns.keytab
>> Keytab name: FILE:dns.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------
>> ------------
>> 4 dns-dc2 at XXX (arcfour-hmac)
>> 4 dns-dc2 at XXX (des-cbc-md5)
>> 4 dns-dc2 at XXX (des-cbc-crc)
>>
>> For reference, on the first DC, for example the DNS keytab
>> for BIND9_DLZ
>> exported during provisioning, has all 5 enctypes on it...
>>
>> Thanks for any insights,
>>
>> Christian
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>