samba - May 2019 - missing enctypes in exported keytab

On Mon, 2019-04-29 at 18:56 +0100, Rowland Penny via samba
wrote:
> 
> That shouldn't make any difference, the 2003 level only used the
> three
> enctypes you have now, this is on one of my DC's:
> 
>  root at dc4:~# samba-tool domain level show
> Domain and forest function level for domain
> 'DC=samdom,DC=example,DC=com'
> 
> Forest function level: (Windows) 2008 R2
> Domain function level: (Windows) 2008 R2
> Lowest function level of a DC: (Windows) 2008 R2
> root at dc4:~# klist -ke /root/dns.keytab 
> Keytab name: FILE:/root/dns.keytab
> KVNO Principal
> ---- ----------------------------------------------------------------
> ----------
>    1 dns-dc4 at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) 
>    1 dns-dc4 at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) 
>    1 dns-dc4 at SAMDOM.EXAMPLE.COM (arcfour-hmac) 
>    1 dns-dc4 at SAMDOM.EXAMPLE.COM (des-cbc-md5) 
>    1 dns-dc4 at SAMDOM.EXAMPLE.COM (des-cbc-crc) 
> 
> Have you restarted the Samba DC ?
The password needs to be changed to get a new encryption type in the
DB, and so therefore the keytab.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Am 29.04.2019 um 21:02 schrieb Andrew Bartlett via
samba:
> On Mon, 2019-04-29 at 18:56 +0100, Rowland Penny via samba wrote:
>>  
>> That shouldn't make any difference, the 2003 level only used the
>> three
>> enctypes you have now, this is on one of my DC's:
>>
>>  root at dc4:~# samba-tool domain level show
>> Domain and forest function level for domain
>> 'DC=samdom,DC=example,DC=com'
>>
>> Forest function level: (Windows) 2008 R2
>> Domain function level: (Windows) 2008 R2
>> Lowest function level of a DC: (Windows) 2008 R2
>> root at dc4:~# klist -ke /root/dns.keytab 
>> Keytab name: FILE:/root/dns.keytab
>> KVNO Principal
>> ---- ----------------------------------------------------------------
>> ----------
>>    1 dns-dc4 at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) 
>>    1 dns-dc4 at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) 
>>    1 dns-dc4 at SAMDOM.EXAMPLE.COM (arcfour-hmac) 
>>    1 dns-dc4 at SAMDOM.EXAMPLE.COM (des-cbc-md5) 
>>    1 dns-dc4 at SAMDOM.EXAMPLE.COM (des-cbc-crc) 
>>
>> Have you restarted the Samba DC ?
> The password needs to be changed to get a new encryption type in the
> DB, and so therefore the keytab.
>
> Andrew Bartlett
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
>
>
Andrew,

thanks for the hint. Restarting the samba fixed that... Best wishes,

Christian

On Thu, 2 May 2019 01:59:59 +0200
Christian via samba <samba at lists.samba.org> wrote:
> Am 29.04.2019 um 21:02 schrieb Andrew Bartlett via samba:
> > On Mon, 2019-04-29 at 18:56 +0100, Rowland Penny via samba wrote:  
> >>  
> >> That shouldn't make any difference, the 2003 level only used
the
> >> three
> >> enctypes you have now, this is on one of my DC's:
> >>
> >>  root at dc4:~# samba-tool domain level show
> >> Domain and forest function level for domain
> >> 'DC=samdom,DC=example,DC=com'
> >>
> >> Forest function level: (Windows) 2008 R2
> >> Domain function level: (Windows) 2008 R2
> >> Lowest function level of a DC: (Windows) 2008 R2
> >> root at dc4:~# klist -ke /root/dns.keytab 
> >> Keytab name: FILE:/root/dns.keytab
> >> KVNO Principal
> >> ----
> >> ----------------------------------------------------------------
> >> ---------- 1 dns-dc4 at SAMDOM.EXAMPLE.COM
(aes256-cts-hmac-sha1-96) 
> >>    1 dns-dc4 at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) 
> >>    1 dns-dc4 at SAMDOM.EXAMPLE.COM (arcfour-hmac) 
> >>    1 dns-dc4 at SAMDOM.EXAMPLE.COM (des-cbc-md5) 
> >>    1 dns-dc4 at SAMDOM.EXAMPLE.COM (des-cbc-crc) 
> >>
> >> Have you restarted the Samba DC ?  
> > The password needs to be changed to get a new encryption type in the
> > DB, and so therefore the keytab.
> >
> > Andrew Bartlett
> > -- 
> > Andrew Bartlett                       http://samba.org/~abartlet/
> > Authentication Developer, Samba Team  http://samba.org
> > Samba Developer, Catalyst IT
> > http://catalyst.net.nz/services/samba
> >
> >
> >
> >  
> Andrew,
> 
> thanks for the hint. Restarting the samba fixed that... Best wishes,
> 
> Christian
> 
> 
Now what was the last thing that I asked ?
Oh, I know, 'Have you restarted the Samba DC' ;-)

Rowland