Web lists-archives.com

Re: [Samba] samba creating keytabs... ( possible bug, can someone confirm this )




On Sat, 4 Feb 2017 12:30:29 +0000
Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:

> On Wed, 1 Feb 2017 14:43:52 +0100
> "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> 
> > Hai, 
> > 
> >  
> > 
> > I noticed something strange in the keytab file on my member server. 
> > 
> 
> I can confirm this, but it gets stranger ;-)
> 
OK, I think I have found a workaround ;-)

Remove the 'http' SPNs from the computers AD object

Then (on the client) run this:

net ads keytab add HTTP -k

klist -ket

.................
   2 04/02/17 12:44:48 HTTP/devclient.samdom.example.com@xxxxxxxxxxxxxxxxxx (des-cbc-crc) 
   2 04/02/17 12:44:48 HTTP/DEVCLIENT@xxxxxxxxxxxxxxxxxx (des-cbc-crc) 
   2 04/02/17 12:44:48 HTTP/devclient.samdom.example.com@xxxxxxxxxxxxxxxxxx (des-cbc-md5) 
   2 04/02/17 12:44:48 HTTP/DEVCLIENT@xxxxxxxxxxxxxxxxxx (des-cbc-md5) 
   2 04/02/17 12:44:48 HTTP/devclient.samdom.example.com@xxxxxxxxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 
   2 04/02/17 12:44:48 HTTP/DEVCLIENT@xxxxxxxxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 
   2 04/02/17 12:44:48 HTTP/devclient.samdom.example.com@xxxxxxxxxxxxxxxxxx (aes256-cts-hmac-sha1-96) 
   2 04/02/17 12:44:48 HTTP/DEVCLIENT@xxxxxxxxxxxxxxxxxx (aes256-cts-hmac-sha1-96) 
   2 04/02/17 12:44:48 HTTP/devclient.samdom.example.com@xxxxxxxxxxxxxxxxxx (arcfour-hmac) 
   2 04/02/17 12:44:48 HTTP/DEVCLIENT@xxxxxxxxxxxxxxxxxx (arcfour-hmac) 

and in the computers AD object:

servicePrincipalName: HOST/DEVCLIENT
servicePrincipalName: HOST/devclient.samdom.example.com
servicePrincipalName: nfs/devclient
servicePrincipalName: nfs/devclient.samdom.example.com
servicePrincipalName: HTTP/devclient
servicePrincipalName: HTTP/devclient.samdom.example.com

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba