Univention Bugzilla – Bug 38105
samba-tool domain exportkeytab doesn't export AES Kerberos keys
Last modified: 2018-03-14 16:01:02 CET
2014111821000309 The keytab written by samba when adding an SPN contains all encryption types: root@master:~# /usr/share/univention-samba4/scripts/create_spn_account.sh --samaccountname 'someaccount' --serviceprincipalname 'SERVICE/someaccount' --privatekeytab 'someaccount.keytab' User 'someaccount' created successfully Expiry for user 'someaccount' disabled. Modified 1 records successfully Added 1 records successfully root@master:~# ktutil -k /var/lib/samba/private/someaccount.keytab l /var/lib/samba/private/someaccount.keytab: Vno Type Principal Aliases 1 des-cbc-crc SERVICE/someaccount@S4LISH.QA 1 des-cbc-crc someaccount@S4LISH.QA 1 des-cbc-md5 SERVICE/someaccount@S4LISH.QA 1 des-cbc-md5 someaccount@S4LISH.QA 1 arcfour-hmac-md5 SERVICE/someaccount@S4LISH.QA 1 arcfour-hmac-md5 someaccount@S4LISH.QA 1 aes128-cts-hmac-sha1-96 SERVICE/someaccount@S4LISH.QA 1 aes128-cts-hmac-sha1-96 someaccount@S4LISH.QA 1 aes256-cts-hmac-sha1-96 SERVICE/someaccount@S4LISH.QA 1 aes256-cts-hmac-sha1-96 someaccount@S4LISH.QA The keytab exported via "samba-tool domain exportkeytab" is missing the AES types: root@master:~# samba-tool domain exportkeytab /tmp/exported_someaccount.keytab --principal "someaccount@S4LISH.QA" root@master:~# ktutil -k /tmp/exported_someaccount.keytab l /tmp/exported_someaccount.keytab: Vno Type Principal Aliases 1 des-cbc-crc someaccount@S4LISH.QA 1 des-cbc-md5 someaccount@S4LISH.QA 1 arcfour-hmac-md5 someaccount@S4LISH.QA
The three observations below leaad to the impression that "samba-tool user setpassword" currently simply doesn't generate AES keys (UCS 4.0). 1. About the accounts generated via create_spn_account.sh: ldbsearch -H ldapi:///var/lib/samba/private/ldap_priv/ldapi \ serviceprincipalname=SERVICE/someaccount supplementalcredentials --show-binary shows that the account has no AES keys stored. The shell script uses "samba-tool user setpassword". In contrast: the "privatekeytab" gerenation code generates the keys directly from the cleartext password stored in secrets.ldb. That's why the AES keys are there. Now as Janis pointed out, https://lists.samba.org/archive/samba-technical/2013-January/090195.html suggests that msDS-SupportedEncryptionTypes could be used to control the generated keys. Let's see in the next case: 2. About UCS Samba4 DC accounts: The DC Master actually has msDS-SupportedEncryptionTypes: 31, but still the account doesn't show AES keys in Samba (tested with UCS 4.0). But in OpenLDAP it has AES keys. They are not synchronized (see Bug #24437 comment 5). When I stop the connector and run "samba-tool user setpassword" it doesn't create AES keys (neither for the DC Master nor for a normal user). So this doesn't look like a Connector issue. When I start the connector again, OpenLDAP also only shows the keytypes found in Samba, as expected. Side note: While server_password_change also uses "samba-tool user setpassword" it somehow avoids that the AES keys in OpenLDAP get over written. So my current impression is that something needs to be adjusted either in Samba/AD directory settings or in the Samba code. 3. When I generate a normal user account in UCS 4.0 via UDM-cli the Synchonized account in the Samba/AD directory shows the AES keys (Primary:Kerberos-Newer-Keys), and I also get them exported with samba-tool domain exportkeytab.
Just checked again with samba 4.5.1 (ucs 4.1-4-e410) and there samba-tool user setpassword generates AES hashes, but exportkeytab still doesn't extract them.
We checked this for Ticket #2018011821000161: Domain and Forest Function level need to be at 2008_R2 at least. Beware that raising the function level requires regenerating the krbtgt keys to avoid problems eg for Windows Client password rotation (see also Ticket #2018010821000607)