Generating Keytabs

From SambaWiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Active directory requires Kerberos service principal names to be mapped to a user account before a keytab can be generated.

You can add SPN names to a user with samba-tool, this is provided with your samba 4 installation.

samba-tool spn add host/fdqn@KerberosRealm <sAMAccount name> 

This should return without error.


Once the SPN is added, you can then generate a keytab for the user with samba-tool, by running the following:

samba-tool domain exportkeytab  <name>.keytab  --principal=[<sAMAccount name> | <SPN>]

This should then produce a keytab called <name>.keytab containing the users upn or the spn, depending on which is given with '--principal' and this can then be copied to your target machine or service.

Note: replace <sAMAccount name> with a valid user name, <SPN> with the spn you added earlier and <name> with whatever you what the keytab to be called, this can also include a path to where you want the keytab to be created. You should only use <sAMAccount name> or <SPN>, you should not use both.


Adding Enctypes to an Account

By default a users keytab will contain the following enctypes:

arcfour-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des-cbc-md5 des-cbc-crc

But if you export a keytab using '--principal' it will only contain these enctypes:

arcfour-hmac des-cbc-md5 des-cbc-crc


To add the two stronger enctypes:

Log into A DC as root, then run 'kinit Administrator'. You can then use the 'net ads enctypes set' command to add the enctypes

net ads enctypes set <ACCOUNTNAME>

This should print something like this:

'ACCOUNTNAME' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
[X] 0x00000001 DES-CBC-CRC
[X] 0x00000002 DES-CBC-MD5
[X] 0x00000004 RC4-HMAC
[X] 0x00000008 AES128-CTS-HMAC-SHA1-96
[X] 0x00000010 AES256-CTS-HMAC-SHA1-96