Web lists-archives.com

Re: [Samba] missing enctypes in exported keytab




On Mon, 2019-04-29 at 18:56 +0100, Rowland Penny via samba wrote:
> 
> That shouldn't make any difference, the 2003 level only used the
> three
> enctypes you have now, this is on one of my DC's:
> 
>  root@dc4:~# samba-tool domain level show
> Domain and forest function level for domain
> 'DC=samdom,DC=example,DC=com'
> 
> Forest function level: (Windows) 2008 R2
> Domain function level: (Windows) 2008 R2
> Lowest function level of a DC: (Windows) 2008 R2
> root@dc4:~# klist -ke /root/dns.keytab 
> Keytab name: FILE:/root/dns.keytab
> KVNO Principal
> ---- ----------------------------------------------------------------
> ----------
>    1 dns-dc4@xxxxxxxxxxxxxxxxxx (aes256-cts-hmac-sha1-96) 
>    1 dns-dc4@xxxxxxxxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 
>    1 dns-dc4@xxxxxxxxxxxxxxxxxx (arcfour-hmac) 
>    1 dns-dc4@xxxxxxxxxxxxxxxxxx (des-cbc-md5) 
>    1 dns-dc4@xxxxxxxxxxxxxxxxxx (des-cbc-crc) 
> 
> Have you restarted the Samba DC ?

The password needs to be changed to get a new encryption type in the
DB, and so therefore the keytab.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba