Web lists-archives.com

[Samba] missing enctypes in exported keytab




Dear all,

this is using debian stretch and Louis' 4.8.11 packages. I am trying to
export a keytab, and even for a UPN, samba does not export the AES keys.
What could be the mistake?

root@dc2:~# net ads enctypes list dns-dc2
'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
[X] 0x00000001 DES-CBC-CRC
[X] 0x00000002 DES-CBC-MD5
[X] 0x00000004 RC4-HMAC
[X] 0x00000008 AES128-CTS-HMAC-SHA1-96
[X] 0x00000010 AES256-CTS-HMAC-SHA1-96
root@dc2:~# rm dns.keytab
rm: remove regular file 'dns.keytab'? y
root@dc2:~# samba-tool domain exportkeytab --principal=dns-dc2 \\
dns.keytab
Export one principal to dns.keytab
root@dc2:~# klist -ke dns.keytab
Keytab name: FILE:dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   4 dns-dc2@XXX (arcfour-hmac)
   4 dns-dc2@XXX (des-cbc-md5)
   4 dns-dc2@XXX (des-cbc-crc)

For reference, on the first DC, for example the DNS keytab for BIND9_DLZ
exported during provisioning, has all 5 enctypes on it...

Thanks for any insights,

Christian

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba