Web lists-archives.com

Re: [Samba] missing enctypes in exported keytab




Am 29.04.2019 um 12:55 schrieb L.P.H. van Belle via samba:
> Hai, 
>
> Thats a strange one.. 
>
>> This is correct: 'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) 
> Try this first. 
>  sudo samba-tool domain exportkeytab dns.keytab  --principal=dns-dc2

Same result. Cheers,

Christian

>
>
> Greetz, 
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
>> Christian via samba
>> Verzonden: maandag 29 april 2019 12:30
>> Aan: samba@xxxxxxxxxxxxxxx
>> Onderwerp: [Samba] missing enctypes in exported keytab
>>
>> Dear all,
>>
>> this is using debian stretch and Louis' 4.8.11 packages. I am 
>> trying to
>> export a keytab, and even for a UPN, samba does not export 
>> the AES keys.
>> What could be the mistake?
>>
>> root@dc2:~# net ads enctypes list dns-dc2
>> 'dns-dc2' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
>> [X] 0x00000001 DES-CBC-CRC
>> [X] 0x00000002 DES-CBC-MD5
>> [X] 0x00000004 RC4-HMAC
>> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
>> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>> root@dc2:~# rm dns.keytab
>> rm: remove regular file 'dns.keytab'? y
>> root@dc2:~# samba-tool domain exportkeytab --principal=dns-dc2 \\
>> dns.keytab
>> Export one principal to dns.keytab
>> root@dc2:~# klist -ke dns.keytab
>> Keytab name: FILE:dns.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------
>> ------------
>>    4 dns-dc2@XXX (arcfour-hmac)
>>    4 dns-dc2@XXX (des-cbc-md5)
>>    4 dns-dc2@XXX (des-cbc-crc)
>>
>> For reference, on the first DC, for example the DNS keytab 
>> for BIND9_DLZ
>> exported during provisioning, has all 5 enctypes on it...
>>
>> Thanks for any insights,
>>
>> Christian
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba