Generating Keytabs: Difference between revisions

From SambaWiki
No edit summary
m (/* added section on adding enctypes to an account)
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Active directory requires Kerberos service principal names to be mapped to a user account before a keytab can be generated.


You can add SPN names to a user with samba-tool, this is provided with your samba 4 installation.
Active directory requires kerberos service principle names to be mapped to a user account before a keytab can be generated.


samba-tool spn add host/fdqn@KerberosRealm <sAMAccount name>
you can add spn names using the samba-tool provided with your samba 4 installation.


This should return without error.
samba-tool spn add host/fdqn@KerberosRealm sAMAccount


this should return without error.


Once the SPN is added, you can then generate a keytab for the user with samba-tool, by running the following:


samba-tool domain exportkeytab <name>.keytab --principal=[<sAMAccount name> | <SPN>]
to then generate a keytab for that principle again using the samba-tool run the following


This should then produce a keytab called <name>.keytab containing the users upn or the spn, depending on which is given with '--principal' and this can then be copied to your target machine or service.
samba-tool domain exportkeytab name.keytab --principal=host/fdqn@KerberosRealm


'''Note:''' replace <sAMAccount name> with a valid user name, <SPN> with the spn you added earlier and <name> with whatever you what the keytab to be called, this can also include a path to where you want the keytab to be created.
this should then produce the keytab for the principle that you have exported and this can then be copied to your target machine or service.
You should only use <sAMAccount name> or <SPN>, you should not use both.


= Adding Enctypes to an Account =

By default a users keytab will contain the following enctypes:
arcfour-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des-cbc-md5 des-cbc-crc

But if you export a keytab using '--principal' it will only contain these enctypes:

arcfour-hmac des-cbc-md5 des-cbc-crc


'''To add the two stronger enctypes:'''

Log into A DC as root, then run 'kinit Administrator'. You can then use the 'net ads enctypes set' command to add the enctypes

net ads enctypes set <ACCOUNTNAME>

This should print something like this:

'ACCOUNTNAME' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
[X] 0x00000001 DES-CBC-CRC
[X] 0x00000002 DES-CBC-MD5
[X] 0x00000004 RC4-HMAC
[X] 0x00000008 AES128-CTS-HMAC-SHA1-96
[X] 0x00000010 AES256-CTS-HMAC-SHA1-96

Latest revision as of 09:24, 15 September 2016

Active directory requires Kerberos service principal names to be mapped to a user account before a keytab can be generated.

You can add SPN names to a user with samba-tool, this is provided with your samba 4 installation.

samba-tool spn add host/fdqn@KerberosRealm <sAMAccount name> 

This should return without error.


Once the SPN is added, you can then generate a keytab for the user with samba-tool, by running the following:

samba-tool domain exportkeytab  <name>.keytab  --principal=[<sAMAccount name> | <SPN>]

This should then produce a keytab called <name>.keytab containing the users upn or the spn, depending on which is given with '--principal' and this can then be copied to your target machine or service.

Note: replace <sAMAccount name> with a valid user name, <SPN> with the spn you added earlier and <name> with whatever you what the keytab to be called, this can also include a path to where you want the keytab to be created. You should only use <sAMAccount name> or <SPN>, you should not use both.


Adding Enctypes to an Account

By default a users keytab will contain the following enctypes:

arcfour-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des-cbc-md5 des-cbc-crc

But if you export a keytab using '--principal' it will only contain these enctypes:

arcfour-hmac des-cbc-md5 des-cbc-crc


To add the two stronger enctypes:

Log into A DC as root, then run 'kinit Administrator'. You can then use the 'net ads enctypes set' command to add the enctypes

net ads enctypes set <ACCOUNTNAME>

This should print something like this:

'ACCOUNTNAME' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
[X] 0x00000001 DES-CBC-CRC
[X] 0x00000002 DES-CBC-MD5
[X] 0x00000004 RC4-HMAC
[X] 0x00000008 AES128-CTS-HMAC-SHA1-96
[X] 0x00000010 AES256-CTS-HMAC-SHA1-96