Web lists-archives.com

Re: [Samba] missing enctypes in exported keytab




Hai, 

Thats a strange one.. 

> This is correct: 'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) 

Try this first. 
 sudo samba-tool domain exportkeytab dns.keytab  --principal=dns-dc2


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Christian via samba
> Verzonden: maandag 29 april 2019 12:30
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: [Samba] missing enctypes in exported keytab
> 
> Dear all,
> 
> this is using debian stretch and Louis' 4.8.11 packages. I am 
> trying to
> export a keytab, and even for a UPN, samba does not export 
> the AES keys.
> What could be the mistake?
> 
> root@dc2:~# net ads enctypes list dns-dc2
> 'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
> [X] 0x00000001 DES-CBC-CRC
> [X] 0x00000002 DES-CBC-MD5
> [X] 0x00000004 RC4-HMAC
> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
> root@dc2:~# rm dns.keytab
> rm: remove regular file 'dns.keytab'? y
> root@dc2:~# samba-tool domain exportkeytab --principal=dns-dc2 \\
> dns.keytab
> Export one principal to dns.keytab
> root@dc2:~# klist -ke dns.keytab
> Keytab name: FILE:dns.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------
> ------------
>    4 dns-dc2@XXX (arcfour-hmac)
>    4 dns-dc2@XXX (des-cbc-md5)
>    4 dns-dc2@XXX (des-cbc-crc)
> 
> For reference, on the first DC, for example the DNS keytab 
> for BIND9_DLZ
> exported during provisioning, has all 5 enctypes on it...
> 
> Thanks for any insights,
> 
> Christian
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba