samba domain member "net ads keytab" syntax - encryption types
Robert Freeman-Day
Hash: SHA1
Hello,
I am working with integrating various Linux distros as domain members
with an Active Directory Domain running on Windows Server 2008 R2 native.
The Domain admins have allowed des keys for backwards (nfs)
compatibility, but prefers the default enctypes supported in 2008 r2:
http://support.microsoft.com/kb/977321
* AES256-CTS-HMAC-SHA1-96
* AES128-CTS-HMAC-SHA1-96
* RC4-HMAC
I would like to allow the Domain Members to work with their own keytabs
via the "net ads keytab" command set but have found that the default
(i.e. "net ads keytab create -P" or "net ads keytab add HTTP -P") only
creates the two des and ArcFour with HMAC/md5 enctypes, no AES enctypes
are listed. The Domain admins can use tools on their side to create
SPNs and keytabs that have AES and we would prefer them over DES/ArcFour
except in special circumstances.:
# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
- ----
- --------------------------------------------------------------------------
5 host/iu-itps-rhel6...@ADS.IU.EDU (DES cbc mode with CRC-32)
5 host/iu-itps-rhel6...@ADS.IU.EDU (DES cbc mode with RSA-MD5)
5 host/iu-itps-rhel6...@ADS.IU.EDU (ArcFour with HMAC/md5)
5 host/IU-ITPS...@ADS.IU.EDU (DES cbc mode with CRC-32)
5 host/IU-ITPS...@ADS.IU.EDU (DES cbc mode with RSA-MD5)
5 host/IU-ITPS...@ADS.IU.EDU (ArcFour with HMAC/md5)
5 IU-ITPS-RHEL6AD$@ADS.IU.EDU (DES cbc mode with CRC-32)
5 IU-ITPS-RHEL6AD$@ADS.IU.EDU (DES cbc mode with RSA-MD5)
5 IU-ITPS-RHEL6AD$@ADS.IU.EDU (ArcFour with HMAC/md5)
5 ssh/iu-itps-rhel6...@ADS.IU.EDU (DES cbc mode with CRC-32)
5 ssh/iu-itps-rhel6...@ADS.IU.EDU (DES cbc mode with RSA-MD5)
5 ssh/iu-itps-rhel6...@ADS.IU.EDU (ArcFour with HMAC/md5)
5 ssh/IU-ITPS...@ADS.IU.EDU (DES cbc mode with CRC-32)
5 ssh/IU-ITPS...@ADS.IU.EDU (DES cbc mode with RSA-MD5)
5 ssh/IU-ITPS...@ADS.IU.EDU (ArcFour with HMAC/md5)
# net ads keytab list -P
Vno Type Principal
5 DES cbc mode with CRC-32 host/iu-itps-rhel6...@ADS.IU.EDU
5 DES cbc mode with RSA-MD5 host/iu-itps-rhel6...@ADS.IU.EDU
5 ArcFour with HMAC/md5 host/iu-itps-rhel6...@ADS.IU.EDU
5 DES cbc mode with CRC-32 host/IU-ITPS...@ADS.IU.EDU
5 DES cbc mode with RSA-MD5 host/IU-ITPS...@ADS.IU.EDU
5 ArcFour with HMAC/md5 host/IU-ITPS...@ADS.IU.EDU
5 DES cbc mode with CRC-32 IU-ITPS-RHEL6AD$@ADS.IU.EDU
5 DES cbc mode with RSA-MD5 IU-ITPS-RHEL6AD$@ADS.IU.EDU
5 ArcFour with HMAC/md5 IU-ITPS-RHEL6AD$@ADS.IU.EDU
5 DES cbc mode with CRC-32 ssh/iu-itps-rhel6...@ADS.IU.EDU
5 DES cbc mode with RSA-MD5 ssh/iu-itps-rhel6...@ADS.IU.EDU
5 ArcFour with HMAC/md5 ssh/iu-itps-rhel6...@ADS.IU.EDU
5 DES cbc mode with CRC-32 ssh/IU-ITPS...@ADS.IU.EDU
5 DES cbc mode with RSA-MD5 ssh/IU-ITPS...@ADS.IU.EDU
5 ArcFour with HMAC/md5 ssh/IU-ITPS...@ADS.IU.EDU
Is there a way to have the "net" command specify enctypes when working
with keytabs? Can the enctypes be narrowed down via /etc/krb5.conf? I
fear that the enctypes are hard coded in (see here in lines 264-269 -
http://gitweb.samba.org/?p=samba.git;a=blob;f=source3/libads/kerberos_keytab.c;h=721a8c6f53086faf0b058eca690d76c79c2e4e64;hb=HEAD#l264),
is that the case?
Any clarification is much appreciated!
Thanks,
Robert
- --
________
Robert Freeman-Day
https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1ercMACgkQup357T5MfTbMFQCgjOORplhBKrK6SSfDrxDQEAZ8
ofwAoIKmczamxavqg3oYlQw9RzL75wQP
=Z6Cw
-----END PGP SIGNATURE-----
Andrew Bartlett
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> I am working with integrating various Linux distros as domain members
> with an Active Directory Domain running on Windows Server 2008 R2 native.
>
> The Domain admins have allowed des keys for backwards (nfs)
> compatibility, but prefers the default enctypes supported in 2008 r2:
> http://support.microsoft.com/kb/977321
> * AES256-CTS-HMAC-SHA1-96
> * AES128-CTS-HMAC-SHA1-96
> * RC4-HMAC
>
> I would like to allow the Domain Members to work with their own keytabs
> via the "net ads keytab" command set but have found that the default
> (i.e. "net ads keytab create -P" or "net ads keytab add HTTP -P") only
> creates the two des and ArcFour with HMAC/md5 enctypes, no AES enctypes
> are listed. The Domain admins can use tools on their side to create
> SPNs and keytabs that have AES and we would prefer them over DES/ArcFour
> except in special circumstances.:
The Samba3 Kerberos code does not understand AES, and so we restrict the
list.
The Samba Team is actively trying to unify the authentication subsystems
which handle this area between Samba3 and Samba4, and we hope to support
this across the whole codebase in the future.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
Robert Freeman-Day
Hash: SHA1
Thanks for the reply, Andrew,
So, if they are restricted, is there a way to restrict further? For
example, only using RC4-HMAC enctypes? Any "net" syntax tweaks for the
keytab set?
Robert
- --
________
Robert Freeman-Day
https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk1j0NwACgkQup357T5MfTYB3wCfYWpXgIcfxEEVcCx2CkH+MWK9
b/QAoM805ncJ9NOXlFu82VIfTO9+7W6h
=ytgt
-----END PGP SIGNATURE-----
Andrew Bartlett
That's a very interesting question. The best way to restrict that may
simply be to remove them later. I'm pretty sure the KDC will not issue
DES tickets unless it thinks they are the only supported option.
Windows 2008 no longer does the DES thing, and modern kerberos libs on
the clients similarly simply refuse to honour the crypto type, because
as your administrators fear, it is just too weak for modern use.