Web lists-archives.com

Re: [Samba] missing enctypes in exported keytab




On Mon, 29 Apr 2019 19:31:55 +0200
Christian via samba <samba@xxxxxxxxxxxxxxx> wrote:

   
> >> root@dc1:~# samba-tool domain level show
> >> Domain and forest function level for domain 'DC=.....'
> >>
> >> Forest function level: (Windows) 2003
> >> Domain function level: (Windows) 2003
> >> Lowest function level of a DC: (Windows) 2008 R2
> >>
> > That explains it ;-)
> >
> > Try raising the functional level to 2008R2
> >
> > samba-tool domain level raise --forest-level=2008_R2
> > --domain-level=2008_R2
> >
> > Rowland
> >  
> Still the same:
> 
> root@dc1:~# rm -f dns.keytab
> root@dc1:~# samba-tool domain level show
> Domain and forest function level for domain 'DC=.......'
> 
> Forest function level: (Windows) 2008 R2
> Domain function level: (Windows) 2008 R2
> Lowest function level of a DC: (Windows) 2008 R2
> root@dc1:~# samba-tool domain exportkeytab dns.keytab
> --principal=dns-dc1 Export one principal to dns.keytab
> root@dc1:~# klist -ke dns.keytab
> Keytab name: FILE:dns.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    1 dns-dc1@XXX (arcfour-hmac)
>    1 dns-dc1@XXX (des-cbc-md5)
>    1 dns-dc1@XXX (des-cbc-crc)
> 
> 
> I should mention that the AD is the result of a classicupgrade...
> Thanks,

That shouldn't make any difference, the 2003 level only used the three
enctypes you have now, this is on one of my DC's:

 root@dc4:~# samba-tool domain level show
Domain and forest function level for domain 'DC=samdom,DC=example,DC=com'

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2
root@dc4:~# klist -ke /root/dns.keytab 
Keytab name: FILE:/root/dns.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 dns-dc4@xxxxxxxxxxxxxxxxxx (aes256-cts-hmac-sha1-96) 
   1 dns-dc4@xxxxxxxxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 
   1 dns-dc4@xxxxxxxxxxxxxxxxxx (arcfour-hmac) 
   1 dns-dc4@xxxxxxxxxxxxxxxxxx (des-cbc-md5) 
   1 dns-dc4@xxxxxxxxxxxxxxxxxx (des-cbc-crc) 

Have you restarted the Samba DC ?

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba