Web lists-archives.com

Re: [Samba] missing enctypes in exported keytab




Am 29.04.2019 um 19:21 schrieb Rowland Penny via samba:
> On Mon, 29 Apr 2019 19:02:44 +0200
> Christian via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
>>>>> Thats a strange one.. 
>>>>>    
>>>>>> This is correct: 'dns-dc2' uses "msDS-SupportedEncryptionTypes":
>>>>>> 31 (0x0000001f)     
>>>>> Try this first. 
>>>>>  sudo samba-tool domain exportkeytab dns.keytab
>>>>> --principal=dns-dc2    
>>>> Same result. Cheers,
>>>>  
>>> what is the output of 'samba-tool domain level show'   
>> root@dc1:~# samba-tool domain level show
>> Domain and forest function level for domain 'DC=.....'
>>
>> Forest function level: (Windows) 2003
>> Domain function level: (Windows) 2003
>> Lowest function level of a DC: (Windows) 2008 R2
>>
>> root@dc1:~#
>>
>> Thanks,
>>
>> Christian
>>
>>
> That explains it ;-)
>
> Try raising the functional level to 2008R2
>
> samba-tool domain level raise --forest-level=2008_R2 --domain-level=2008_R2
>
> Rowland
>
Still the same:

root@dc1:~# rm -f dns.keytab
root@dc1:~# samba-tool domain level show
Domain and forest function level for domain 'DC=.......'

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2
root@dc1:~# samba-tool domain exportkeytab dns.keytab  --principal=dns-dc1
Export one principal to dns.keytab
root@dc1:~# klist -ke dns.keytab
Keytab name: FILE:dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   1 dns-dc1@XXX (arcfour-hmac)
   1 dns-dc1@XXX (des-cbc-md5)
   1 dns-dc1@XXX (des-cbc-crc)


I should mention that the AD is the result of a classicupgrade... Thanks,

Christian


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba