[Samba] Exporting keytab for SPN failure
Michael A Weber via samba
I’m attempting to export a keytab for a created SPN on the AD DC machine but I’m receiving an error:
ERROR(runtime): uncaught exception - Key table entry not found
File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 129, in run
net.export_keytab(keytab=keytab, principal=principal)
Steps taken to recreate:
1. Create a user for the SPN
samba-tool user create web-intranet-macmini
<provided password when prompted>
2. Add the SPN:
samba-tool spn add HTTP/hostname.domai...@DOMAIN2.DOMAIN1.TLD web-intranet-macmini
<succeeded without error>
3. Export the keytab file to be used on the intranet host:
samba-tool domain exportkeytab ~/intranet-macmini.keytab —principal=HTTP/hostname.domai...@DOMAIN2.DOMAIN1.TLD
<Get the error listed above>
Now, I tried adding another SPN without the realm, and exporting without the realm, and I did not receive an error.
I then deleted both SPNs via samba-tool spn delete, recreated the SPN using the realm just to make sure I’m not completely crazy and didn’t fat finger anything (and to make sure my contact lenses are making me see what I think I’m seeing) and I still get the error.
When I do samba-tool spn list web-intranet-macmini, I see the SPN(s) associated with that user, and they are correct.
Is there something glaringly obvious I’m missing?
Mike
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
is the user.
Rowland
Michael A Weber via samba
That appears to have worked.
Should the wiki page be modified/updated to reflect this? Also, I think some of the wording is confusing on the wiki page, specifically “this should then produce the keytab for the principAL ‘that you have exported’…”
I’ve already exported a principAL? When? Or, am I currently exporting a principal with the samba-tool right then and there?
https://wiki.samba.org/index.php/Generating_Keytabs <https://wiki.samba.org/index.php/Generating_Keytabs>
Mike
Achim Gottinger via samba
when creating the realm. It should be added automatically adn you can
verify it with
klist -Kek [your keytabfile]
Rowland Penny via samba
Achim Gottinger via samba
No offence but it is indeed possible to use the SPN as principal name.
Try it it works. There is no need to use the realm part during spn add.
Afterwards the SPN with and without the realm can be used with domain
exportkeytab as principal.
achim~
Michael A Weber via samba
Achim, I just tested your recommendation and verified with the klist command above, and they do look correct (sanitized below, of course):
Keytab name: FILE:/root/intranet-macmini.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 HTTP/intranet.domai...@DOMAIN2.DOMAIN1.TLD (des-cbc-crc)
1 HTTP/intranet.domai...@DOMAIN2.DOMAIN1.TLD (des-cbc-md5)
1 HTTP/intranet.domai...@DOMAIN2.DOMAIN1.TLD (arcfour-hmac)
> On Sep 14, 2016, at 1:38 AM, Rowland Penny via samba <sa...@lists.samba.org> wrote:
>
> Yes, the principal isn't the SPN when you try to export the keytab, it
> is the user.
>
> Rowland
>
Keytab name: FILE:/root/intranet-macmini.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 web-intran...@DOMAIN2.DOMAIN1.TLD (des-cbc-crc)
1 web-intran...@DOMAIN2.DOMAIN1.TLD (des-cbc-md5)
1 web-intran...@DOMAIN2.DOMAIN1.TLD (aes128-cts-hmac-sha1-96)
1 web-intran...@DOMAIN2.DOMAIN1.TLD (aes256-cts-hmac-sha1-96)
1 web-intran...@DOMAIN2.DOMAIN1.TLD (arcfour-hmac)
Experts--
So, which method is the correct way to export a keytab for an SPN for, say, Apache?
Question though, just for my curiosity:
The encryption algorithms specified after each SPN: I see that aes-256 is listed when I export the user, but not the SPN. Are those expected, or have I done something wrong and used incorrect algorithms somewhere? I recall reading that DES is not secure enough and that AES-256 (I think I read this during TLS enablement) is what should be used.
Mike
Rowland Penny via samba
username, but you are quite correct, you can use the spn as a principal.
Ah well, back to editing the wiki.
Achim Gottinger via samba
Am 14.09.2016 um 18:23 schrieb Michael A Weber:
> Question though, just for my curiosity:
>
> The encryption algorithms specified after each SPN: I see that
> aes-256 is listed when I export the user, but not the SPN. Are those
> expected, or have I done something wrong and used incorrect algorithms
> somewhere? I recall reading that DES is not secure enough and that
> AES-256 (I think I read this during TLS enablement) is what should be
> used.
hostname without the domain part the aes keys are included. In your case
--principal HTTP/intranet.
The encryption methods used can be controlled with net ads enctypes.
If i run (after kinit Administrator)
net ads enctypes list dc1$
i get
'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
[X] 0x00000001 DES-CBC-CRC
[X] 0x00000002 DES-CBC-MD5
[X] 0x00000004 RC4-HMAC
[X] 0x00000008 AES128-CTS-HMAC-SHA1-96
[X] 0x00000010 AES256-CTS-HMAC-SHA1-96
If i use
net ads enctypes list dc1.domain.local$
i get
no account found with filter:
(&(objectclass=user)(sAMAccountName=dc1.domain.local$))
Seems "samba-tool domain exportkeytab" uses an similar algorythm and
therefore does not find the account and uses des and arcfour keys per
default.
Achim Gottinger via samba
enctypes so it does not seem to inspect the
msDS-SupportedEncryptionTypes attribute, neighter of the user account
(UPN) nor of the hosts account (hostname part of the SPN). I'm using an
4.4.5 backport on debian jessie btw.
Michael A Weber via samba
> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba <sa...@lists.samba.org> wrote:
>
>
>
> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>> Question though, just for my curiosity:
>>
>> The encryption algorithms specified after each SPN: I see that aes-256 is listed when I export the user, but not the SPN. Are those expected, or have I done something wrong and used incorrect algorithms somewhere? I recall reading that DES is not secure enough and that AES-256 (I think I read this during TLS enablement) is what should be used.
> I get the same behaviour here. If i do nout use the FQDN and only the hostname without the domain part the aes keys are included. In your case --principal HTTP/intranet.
samba-tool spn list web-intranet-macmini
web-intranet-macmini
User CN=web-intranet-macmini,CN=Users,DC=domain2,DC=domain1,DC=tld has the following servicePrincipalName:
HTTP/intranet.domain2.domain1.tld
Then, if I go to export the keytab as you have indicated above with —principal=HTTP/intranet it errors:
samba-tool domain exportkeytab ~/intranet-macmini.keytab --principal=HTTP/intranet
File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 129, in run
net.export_keytab(keytab=keytab, principal=principal)
I feel I’m missing something.
>
> The encryption methods used can be controlled with net ads enctypes.
>
> If i run (after kinit Administrator)
> net ads enctypes list dc1$
> i get
> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
> [X] 0x00000001 DES-CBC-CRC
> [X] 0x00000002 DES-CBC-MD5
> [X] 0x00000004 RC4-HMAC
> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>
> If i use
> net ads enctypes list dc1.domain.local$
> i get
> no account found with filter: (&(objectclass=user)(sAMAccountName=dc1.domain.local$))
>
> Seems "samba-tool domain exportkeytab" uses an similar algorythm and therefore does not find the account and uses des and arcfour keys per default.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger via samba
Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>
>>
>>
>>
>> Am 14.09.2016 um 05:53 schrieb Michael A Weber via samba:
>>> Experts—
>>>
>>> I’m attempting to export a keytab for a created SPN on the AD DC
>>> machine but I’m receiving an error:
>>>
>>> ERROR(runtime): uncaught exception - Key table entry not found
>>> File
>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line
>>> 175, in _run
>>> return self.run(*args, **kwargs)
>>> File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
>>> line 129, in run
>>> net.export_keytab(keytab=keytab, principal=principal)
>>>
>>> Steps taken to recreate:
>>>
>>> 1. Create a user for the SPN
>>>
>>> samba-tool user create web-intranet-macmini
>>> <provided password when prompted>
>>>
>>> 2. Add the SPN:
>>>
>>> samba-tool spn add
>>> HTTP/hostname.domai...@DOMAIN2.DOMAIN1.TLD
>>> <succeeded without error>
>>>
>>> 3. Export the keytab file to be used on the intranet host:
>>>
>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab
>>> —principal=HTTP/hostname.domai...@DOMAIN2.DOMAIN1.TLD
> 1 HTTP/intranet.domai...@DOMAIN2.DOMAIN1.TLD
> <mailto:domain2.d...@domain2.domain1.tld> (des-cbc-md5)
> 1 HTTP/intranet.domai...@DOMAIN2.DOMAIN1.TLD
> <mailto:domain2.d...@domain2.domain1.tld> (arcfour-hmac)
>
>
>> On Sep 14, 2016, at 1:38 AM, Rowland Penny via samba
>>
>> Yes, the principal isn't the SPN when you try to export the keytab, it
>> is the user.
>>
>> Rowland
>>
>
>
> Rowland, when I use your method of specifying the principal as the
> user and not the SPN, I get what I would think for Apache would be a
> completely incorrect keytab as verified by the klist -Kek command:
>
> Keytab name: FILE:/root/intranet-macmini.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 web-intran...@DOMAIN2.DOMAIN1.TLD
> 1 web-intran...@DOMAIN2.DOMAIN1.TLD
> <mailto:web-intran...@domain2.domain1.tld> (des-cbc-md5)
> 1 web-intran...@DOMAIN2.DOMAIN1.TLD
> <mailto:web-intran...@domain2.domain1.tld> (aes128-cts-hmac-sha1-96)
> 1 web-intran...@DOMAIN2.DOMAIN1.TLD
> <mailto:web-intran...@domain2.domain1.tld> (aes256-cts-hmac-sha1-96)
> 1 web-intran...@DOMAIN2.DOMAIN1.TLD
> <mailto:web-intran...@domain2.domain1.tld> (arcfour-hmac)
>
> Experts--
>
> So, which method is the correct way to export a keytab for an SPN for,
> say, Apache?
>
> Question though, just for my curiosity:
>
> The encryption algorithms specified after each SPN: I see that
> aes-256 is listed when I export the user, but not the SPN. Are those
> expected, or have I done something wrong and used incorrect algorithms
> somewhere? I recall reading that DES is not secure enough and that
> AES-256 (I think I read this during TLS enablement) is what should be
> used.
>
> Mike
password for the user account with this.
#ktutil
ktutil: rkt [keytabfile]
ktutil: addent -password -p
HTTP/intranet.domai...@DOMAIN2.DOMAIN1.TLD
<mailto:domain2.d...@domain2.domain1.tld> -k 1 -e
aes256-cts-hmac-sha1-96
ktutil: [enter the password used for web-intranet-macmini]
ktutil: wkt [keytabfile]
ktutil: q
I have not tested this but it should work used an similar approach with
samba 4.0 for imap and smtp principals.
Achim Gottinger via samba
Am 14.09.2016 um 19:53 schrieb Michael A Weber:
>
>> On Sep 14, 2016, at 12:23 PM, Achim Gottinger via samba
net ads enctypes set web-intranet-macmini 31
Afterwards "domain export" will export also aes keys for the SPN's.
Michael A Weber via samba
>> I did previously create an SPN without the realm, but the SPN attribute on the user also did not contain the realm. Then, I deleted the SPN and re-created it with the realm.
>>
>> Achim, I just tested your recommendation and verified with the klist command above, and they do look correct (sanitized below, of course):
>>
>> ---- --------------------------------------------------------------------------
>> 1 HTTP/intranet.domai...@DOMAIN2.DOMAIN1.TLD <mailto:HTTP/intranet.domai...@domain2.domain1.tld> (des-cbc-crc)
>> 1 HTTP/intranet.domai...@DOMAIN2.DOMAIN1.TLD <mailto:domain2.d...@domain2.domain1.tld> (des-cbc-md5)
>> 1 HTTP/intranet.domai...@DOMAIN2.DOMAIN1.TLD <mailto:domain2.d...@domain2.domain1.tld> (arcfour-hmac)
>>
>>
>>
>>> On Sep 14, 2016, at 1:38 AM, Rowland Penny via samba <sa...@lists.samba.org <mailto:sa...@lists.samba.org>> wrote:
>>>
>>> Yes, the principal isn't the SPN when you try to export the keytab, it
>>> is the user.
>>>
>>> Rowland
>>>
>>
>>
>>
>> Rowland, when I use your method of specifying the principal as the user and not the SPN, I get what I would think for Apache would be a completely incorrect keytab as verified by the klist -Kek command:
>>
>> ---- --------------------------------------------------------------------------
>> 1 web-intran...@DOMAIN2.DOMAIN1.TLD <mailto:web-intran...@domain2.domain1.tld> (des-cbc-crc)
>> 1 web-intran...@DOMAIN2.DOMAIN1.TLD <mailto:web-intran...@domain2.domain1.tld> (des-cbc-md5)
>> 1 web-intran...@DOMAIN2.DOMAIN1.TLD <mailto:web-intran...@domain2.domain1.tld> (aes128-cts-hmac-sha1-96)
>> 1 web-intran...@DOMAIN2.DOMAIN1.TLD <mailto:web-intran...@domain2.domain1.tld> (aes256-cts-hmac-sha1-96)
>> 1 web-intran...@DOMAIN2.DOMAIN1.TLD <mailto:web-intran...@domain2.domain1.tld> (arcfour-hmac)
>>
>>
>> Experts--
>>
>> So, which method is the correct way to export a keytab for an SPN for, say, Apache?
>>
>> Question though, just for my curiosity:
>>
>> The encryption algorithms specified after each SPN: I see that aes-256 is listed when I export the user, but not the SPN. Are those expected, or have I done something wrong and used incorrect algorithms somewhere? I recall reading that DES is not secure enough and that AES-256 (I think I read this during TLS enablement) is what should be used.
>>
>> Mike
> You can use ktutil to add the aes keys manual. You can not use an random password for the user account with this.
>
> #ktutil
> ktutil: rkt [keytabfile]
> ktutil: addent -password -p HTTP/intranet.domai...@DOMAIN2.DOMAIN1.TLD <mailto:domain2.d...@domain2.domain1.tld> -k 1 -e aes256-cts-hmac-sha1-96
> ktutil: [enter the password used for web-intranet-macmini]
> ktutil: wkt [keytabfile]
> ktutil: q
>
> I have not tested this but it should work used an similar approach with samba 4.0 for imap and smtp principals.
However, for Rowland’s wiki needs, what would be the correct way/command to export this so that the SPN listed is the one intended (i.e. HTTP/fqhn@realm) since using —principal=user exports a keytab with a user@realm, not the intended SPN? I’m guessing we do it as you have suggested by leaving off the realm, and then for the added algorithms, we add them via ktutil.
Does that sound right?
Mike
Rowland Penny via samba
user, you get this:
root@dc1:~# ktutil
ktutil: rkt /root/ktestuser.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 ktes...@SAMDOM.EXAMPLE.COM
2 2 ktes...@SAMDOM.EXAMPLE.COM
3 2 ktes...@SAMDOM.EXAMPLE.COM
4 2 ktes...@SAMDOM.EXAMPLE.COM
5 2 ktes...@SAMDOM.EXAMPLE.COM
ktutil: q
And if you use the spn, you get this:
root@dc1:~# ktutil
ktutil: rkt /root/ktestuser1.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 HTTP/dc1.samdom....@SAMDOM.EXAMPLE.COM
2 2 HTTP/dc1.samdom....@SAMDOM.EXAMPLE.COM
3 2 HTTP/dc1.samdom....@SAMDOM.EXAMPLE.COM
ktutil: q
Rowland
Michael A Weber via samba
>> Mike
> Try this
> net ads enctypes set web-intranet-macmini 31
>
> Afterwards "domain export" will export also aes keys for the SPN's.
Now, I’m going to use ktutil to pull these into my existing keytab on the destination machine and begin my testing.
Thank you tremendously (although I think we may have created hell for Rowland with the wiki documentation)!
Mike
Achim Gottinger via samba
Am 14.09.2016 um 20:33 schrieb Michael A Weber:
>
>> On Sep 14, 2016, at 1:10 PM, Achim Gottinger <ac...@ag-web.biz
>> Try this
>> net ads enctypes set web-intranet-macmini 31
>>
>> Afterwards "domain export" will export also aes keys for the SPN's.
>
> And, this is why I addressed you as “experts” earlier. Indeed, it did!
>
> Now, I’m going to use ktutil to pull these into my existing keytab on
> the destination machine and begin my testing.
>
> Thank you tremendously (although I think we may have created hell for
> Rowland with the wiki documentation)!
>
> Mike
bringing it up on the list.
If an user gets created the attribute msDS-SupportedEncryptionTypes
remains undefined and in this case only des and rc4 keys are exported.
net ads enctypes set [hostname] [key value] can be used to define the
valid keys for an accound (and it's spn's).
The key value is repesented as
0x00000001 DES-CBC-CRC
0x00000002 DES-CBC-MD5
0x00000004 RC4-HMAC
0x00000008 AES128-CTS-HMAC-SHA1-96
0x00000010 AES256-CTS-HMAC-SHA1-96
So using 31 enables all of them. samba-tool domain exportkeytab does
always export des and rc4 keys but honours 0x8 for aes128 and 0x10 for
aes256.
I assume if enctypes are set to 24 for example (only aes128/256) the
server will honour this and decline des and rc4 attempts.
Michael A Weber via samba
>>>> Mike
>>> Try this
>>> net ads enctypes set web-intranet-macmini 31
>>>
>>> Afterwards "domain export" will export also aes keys for the SPN's.
>>
>> And, this is why I addressed you as “experts” earlier. Indeed, it did!
>>
>> Now, I’m going to use ktutil to pull these into my existing keytab on the destination machine and begin my testing.
>>
>> Thank you tremendously (although I think we may have created hell for Rowland with the wiki documentation)!
>>
>> Mike
> I was wondering about the missing aes keys for an while. So thanks for bringing it up on the list.
>
> If an user gets created the attribute msDS-SupportedEncryptionTypes remains undefined and in this case only des and rc4 keys are exported.
>
> net ads enctypes set [hostname] [key value] can be used to define the valid keys for an accound (and it's spn's).
>
> The key value is repesented as
> 0x00000001 DES-CBC-CRC
> 0x00000002 DES-CBC-MD5
> 0x00000004 RC4-HMAC
> 0x00000008 AES128-CTS-HMAC-SHA1-96
> 0x00000010 AES256-CTS-HMAC-SHA1-96
>
> So using 31 enables all of them. samba-tool domain exportkeytab does always export des and rc4 keys but honours 0x8 for aes128 and 0x10 for aes256.
> I assume if enctypes are set to 24 for example (only aes128/256) the server will honour this and decline des and rc4 attempts.
>
>
>
Rowland—
This whole thing seems to me like we are duplicating the functionality of the ktpass command on a Windows AD. With that command, one would need to include an encoding type, and I’m just wondering if it should be included in the wiki pages as well rather than trying to add it back manually after the export. Also, something tells me that the ktpass command, when creating the SPN for a user, also sets the required encoding type.
Thoughts?
Mike
Rowland Penny via samba
adds the 'servicePrincipalName', no enctypes are mentioned.
Exporting the keytab is the same, there is no mention of enctypes
So, until this changes, the wiki can only document what actually
happens.
Rowland
Achim Gottinger via samba
As I wrote before you can use the command
net ads enctypes set [username] 31
to convince domain export to export also the aes keys for the SPN's
assigned to [username] like it is done for [username].
If only aes keys are wanted in the keytab file unwanted keys can be
removed from the keytab file with ktutil.
See here for more info about "net ads enctypes"
https://www.mail-archive.com/cifs-p...@lists.samba.org/msg00062.html.
It controls which encryption types are used for ticket generation on the
server.
achim~
Robert Moulton via samba
I've been trying to follow this thread but admit I'm still missing
something. Given the example below, what needs to be done to get the aes
keys in the keytab, exactly?
# net ads enctypes list hostname$
'hostname$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
[X] 0x00000001 DES-CBC-CRC
[X] 0x00000002 DES-CBC-MD5
[X] 0x00000004 RC4-HMAC
[X] 0x00000008 AES128-CTS-HMAC-SHA1-96
[X] 0x00000010 AES256-CTS-HMAC-SHA1-96
# samba-tool domain exportkeytab test --principal=hostname$
# klist -ke test
Keytab name: FILE:test
KVNO Principal
----
--------------------------------------------------------------------------
1 hostname$@EXAMPLE.COM (des-cbc-crc)
1 hostname$@EXAMPLE.COM (des-cbc-md5)
1 hostname$@EXAMPLE.COM (arcfour-hmac)
Achim Gottinger via samba
What version of samba are you using? For my tests i used 4.4.5. "net
enctypes" was added wth version 4.2.10.
Setting enctypes was only necessary here for aes keys with spn's as
principals. upn's/usernames always export the aes keys here.
Rowland Penny via samba
If I 'kinit Administrator' before running your commands as root on a
DC, I get this:
klist -ke devstation.keytab
Keytab name: FILE:devstation.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 devstation$@SAMDOM.EXAMPLE.COM (arcfour-hmac)
1 devstation$@SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
1 devstation$@SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-md5)
1 devstation$@SAMDOM.EXAMPLE.COM (des-cbc-crc)
Rowland
Robert Moulton via samba
4.4.5 here, too.
# samba -V
Version 4.4.5
Rowland Penny via samba
Good point, but a computer only has SPNs
Rowland
Achim Gottinger via samba
Just tested with 4.2.10 and i get your results no aes keys in export.
Achim Gottinger via samba
In above test the hostname/username was used as principal. You are right
the userPrincipalName attribute is not used for computer accounts. Still
it is possible to export an keytab for the hostname.
Rowland Penny via samba
Ah, I wonder if Robert's AD has been upgraded to 4.4.5 ? and the
enctypes have never been added during the upgrade.
Rowland
Achim Gottinger via samba
Odd, it just works here with 4.4.5 also for hostnames even with aes
disabled in enctypes all five keys are generated.
What os are you using and how did you install samba?
Rowland Penny via samba
Yes 'hostname' was used, but if you look carefully, there is a '$' on
the end, this make is definitely a computer.
Rowland
Achim Gottinger via samba
It's getting abit of topic doesnt it?
Of course by using the word hostname i talk about an computer account. :-)
User and Computer account both use the objectClass user the
userPrincipalName attribute belongs to that class so in theory even an
computer account may have an upn (aka userPrincipalName) defined.
It's odd that the aes keys are not exported for robert, however. Maybe
he's on gentoo and affected by it's system heimdal issues.
Robert Moulton via samba
Yeah, sorry, I should have specified that I did exactly that -- 'kinit
Administrator' as root, on a DC -- followed by the sequence of commands
I listed.
Hm ... would domain/forest functional level matter? we've never bothered
to raise ours from the default.
Achim Gottinger via samba
That's it. On my 4.2.10 server the domain and forest level was 2003 so i
raised it to 2008 R2. Tested with an user account and at first it
exported only des and rc4 keys. After setting the password for that user
again (what rowland recommended in an other reply) it does now export
aes keys for that user. For an computer account you may have to rejoin
the computer to trigger the generation of an new password for that
account immediate.
Robert Moulton via samba
CentOS 6.8, Samba 4.4.5 compiled from source, installed to update the
original Samba 4.3.3, also compiled from source.
It's particularly interesting (to me, at least) because the CentOS
'adcli' utility, when used to join a system to this same domain, creates
a keytab which *does* include the aes keys. But if I subsequently use
samba-tool to create a keytab for that host, those aes keys are still
absent.
Robert Moulton via samba
Excellent, thanks. Indeed, it worked for me here, too, on a test domain.
One final (I think/hope) question: How might I deal with password resets
of the DC computer accounts themselves, to trigger the creation of their
AES keys?
Achim Gottinger via samba
The password is changed every 30 days by default if you did not disable
it via gpo.
https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/
See here how to reset the computer account passwords manualy.
Achim Gottinger via samba
For the samba dc's you can use
samba-tool user setpassword hostname$
Robert Moulton via samba
Heh, sheesh, embarrassing ... as easy as that.
Thanks for your guidance! Rowland, thank you for chiming in as well!
Achim Gottinger via samba
Hmm, can be this does mess up replication.
Achim Gottinger via samba
Yes it does mess up replication! Do not use setpassword for the samba
host !!!
Glad I made an snapshot of my test vm before i tried it.
It worked for an windows 7 client hosever the LDAP and cifs tickets
where using aes256.
Achim Gottinger via samba
Reading https://wiki.samba.org/index.php/Keytab_Extraction
----- snip ----------------
Offline Keytab Creation from Secrets.tdb
If the net command fails (after all, that could be the reason for us to
start sniffing...), you can still generate a keytab without domain admin
credentials, if you can get a hold on the server's secrets.tdb. This
method can also be done offline on a different machine.
tdbdump secrets.tdb
Now look for the key SECRETS/MACHINE_PASSWORD/<domain> - the password is
the value without the trailing zero. Use the *ktutil* utility to
construct the keytab:
------ snap -------------
We do not use ktutil but use the password mentioned here for the
"samba-tool user setpassword hostname$" command.
This does not break replication and the aes keys are exported.
r moulton via samba
Ah, okay, I think I've got it, for my production domain:
- step 1: use the above tdbdump trick to identify the existing password
- step 2: use samba-tool to "reset" the password to the same value
I already reset the password of the single DC in my test domain.
Without other DCs in the picture there's effectively no harm done,
right? I do have a fairly recent samba_backup dump to use, if
necessary.
Achim Gottinger via samba
I tried to set the hosts password to something random and afterwards to
the content in secrets.tdb again. Afterwards replication was broken again.
The keyfile used for replication seems to be
/var/lib/samba/private/secrets.keytab.
It can be recreated after the password change with:
samba-tool domain exportkeytab secrets.keytab --principal=HOST/server
samba-tool domain exportkeytab secrets.keytab
--principal=HOST/server.domain.tld
samba-tool domain exportkeytab secrets.keytab --principal=SERVER$
With this new secrets.keytab replications started working on my first dc
again. But it is broken on the second one.
It's abit tricky. :-)
Achim Gottinger via samba
Been having a few other network issues in my test environment. Tried
step1/2 on both dc's and things just keep running.
After the samba-tool password reset there is usually an
WERR_NETNAME-DELETE or similar error which disapers with the next
replication.
There was no need to recreate the secrets.keytab.
Achim Gottinger via samba
There is still one difference when comparing an upgrade domain with an
fresh installed domain.
On the upgraded domain (raised function level, regenerated dc keys) when
in run klist on an connected windows client (password reset was done
with the netdom command) there are still two tickets using rc4 encryption.
#0 krbtgt/DOMAI...@DOMAIN.TLD - ticket and session encryption RC4
#1 krbtgt/DOMAI...@DOMAIN.TLD - ticket encryption RC4 and session
encryption AES256
These keys use only AES256 on my 4.4.5 test environment which ran on
2008 R2 level all the time.
So there must be an domain account whoms keys must also be regenerated.
I have no idea how to reset that.
Achim Gottinger via samba
Just to be sure i added an third dc (different site and subnet) and
reset this dc's password using the one storde on that dc in secrets.tdb.
This also worked. Here is the error message which appears once during
replication afterwards.
DC=DomainDnsZones,DC=domain,DC=tld
MUC\DC3 via RPC
DSA object GUID: [GUID]
Last attempt @ Sat Sep 17 19:26:59 2016 CEST failed,
result 64 (WERR_NETNAME_DELETED)
1 consecutive failure(s).
Last success @ Sat Sep 17 19:25:44 2016 CEST
This error propagates from dc2 to dc1 to dc3 back to dc1 and back to dc3
then it is gone.
Achim Gottinger via samba
After reading this https://adsecurity.org/?p=483 I tried to change the
krbtgt passwort using "samba-tool user setpassword krbtgt".
After that the remianing tickets using rc4 now also use aes256. Also
running "kinit Administrator; klist -e" show aes256 is used for ticket
and session encryption now.
Above article mentiones the krbtgt password is changed if the domain
level is raised from 2003 to 2008 (R2). Seems this is not the case on a
samba dc otherwise the aes encrypted keys would exist.
Robert Moulton via samba
I resumed testing today, and I'm sort of lost again. In my test domain,
if you recall, I had done 'samba-tool user setpassword hostname$' to
reset the DC password to a new randomly-specified value. Today, I
noticed that I could no longer log on to a Win 2012 member server in
that test domain. After trying a few things and reviewing samba logs I
ended up reverting to a Samba snapshot from a time prior to the date on
which I started this exercise. All is working now, but I'm back at the
default Win 2003 functional level. Am I understanding correctly that I
should adjust the prescribed steps as follows?
- step 1: raise functional levels to 2008_R2
- step 2: use the tdbdump trick to identify the existing DC password
- step 3: use samba-tool to "reset" the DC password to that same value
- step 4: use samba-tool to reset the krbtgt password to a *new* value
Achim Gottinger via samba
Yes these where the steps I used here. Using an random password (not the
one from secrets.tdb) also resulted in an broken dc for me. Make sure
you do not include the trailing \00 used in the password field in
secrets.tdb!
Robert Moulton via samba
Okay, thanks. And you read my mind; I'd been meaning to ask for
clarification on those samba wiki instructions: "the password is the
value without the trailing zero" (singular, with no mention of the
preceding '\').