-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello,
I am working with integrating various Linux distros as domain members with an Active Directory Domain running on Windows Server 2008 R2 native. The Domain admins have allowed des keys for backwards (nfs) compatibility, but prefers the default enctypes supported in 2008 r2: http://support.microsoft.com/kb/977321 * AES256-CTS-HMAC-SHA1-96 * AES128-CTS-HMAC-SHA1-96 * RC4-HMAC I would like to allow the Domain Members to work with their own keytabs via the "net ads keytab" command set but have found that the default (i.e. "net ads keytab create -P" or "net ads keytab add HTTP -P") only creates the two des and ArcFour with HMAC/md5 enctypes, no AES enctypes are listed. The Domain admins can use tools on their side to create SPNs and keytabs that have AES and we would prefer them over DES/ArcFour except in special circumstances.: # klist -ke Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal - ---- - -------------------------------------------------------------------------- 5 host/iu-itps-rhel6ad.ads.iu....@ads.iu.edu (DES cbc mode with CRC-32) 5 host/iu-itps-rhel6ad.ads.iu....@ads.iu.edu (DES cbc mode with RSA-MD5) 5 host/iu-itps-rhel6ad.ads.iu....@ads.iu.edu (ArcFour with HMAC/md5) 5 host/iu-itps-rhel...@ads.iu.edu (DES cbc mode with CRC-32) 5 host/iu-itps-rhel...@ads.iu.edu (DES cbc mode with RSA-MD5) 5 host/iu-itps-rhel...@ads.iu.edu (ArcFour with HMAC/md5) 5 IU-ITPS-RHEL6AD$@ADS.IU.EDU (DES cbc mode with CRC-32) 5 IU-ITPS-RHEL6AD$@ADS.IU.EDU (DES cbc mode with RSA-MD5) 5 IU-ITPS-RHEL6AD$@ADS.IU.EDU (ArcFour with HMAC/md5) 5 ssh/iu-itps-rhel6ad.ads.iu....@ads.iu.edu (DES cbc mode with CRC-32) 5 ssh/iu-itps-rhel6ad.ads.iu....@ads.iu.edu (DES cbc mode with RSA-MD5) 5 ssh/iu-itps-rhel6ad.ads.iu....@ads.iu.edu (ArcFour with HMAC/md5) 5 ssh/iu-itps-rhel...@ads.iu.edu (DES cbc mode with CRC-32) 5 ssh/iu-itps-rhel...@ads.iu.edu (DES cbc mode with RSA-MD5) 5 ssh/iu-itps-rhel...@ads.iu.edu (ArcFour with HMAC/md5) # net ads keytab list -P Vno Type Principal 5 DES cbc mode with CRC-32 host/iu-itps-rhel6ad.ads.iu....@ads.iu.edu 5 DES cbc mode with RSA-MD5 host/iu-itps-rhel6ad.ads.iu....@ads.iu.edu 5 ArcFour with HMAC/md5 host/iu-itps-rhel6ad.ads.iu....@ads.iu.edu 5 DES cbc mode with CRC-32 host/iu-itps-rhel...@ads.iu.edu 5 DES cbc mode with RSA-MD5 host/iu-itps-rhel...@ads.iu.edu 5 ArcFour with HMAC/md5 host/iu-itps-rhel...@ads.iu.edu 5 DES cbc mode with CRC-32 IU-ITPS-RHEL6AD$@ADS.IU.EDU 5 DES cbc mode with RSA-MD5 IU-ITPS-RHEL6AD$@ADS.IU.EDU 5 ArcFour with HMAC/md5 IU-ITPS-RHEL6AD$@ADS.IU.EDU 5 DES cbc mode with CRC-32 ssh/iu-itps-rhel6ad.ads.iu....@ads.iu.edu 5 DES cbc mode with RSA-MD5 ssh/iu-itps-rhel6ad.ads.iu....@ads.iu.edu 5 ArcFour with HMAC/md5 ssh/iu-itps-rhel6ad.ads.iu....@ads.iu.edu 5 DES cbc mode with CRC-32 ssh/iu-itps-rhel...@ads.iu.edu 5 DES cbc mode with RSA-MD5 ssh/iu-itps-rhel...@ads.iu.edu 5 ArcFour with HMAC/md5 ssh/iu-itps-rhel...@ads.iu.edu Is there a way to have the "net" command specify enctypes when working with keytabs? Thanks, Robert - -- ________ Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1St5MACgkQup357T5MfTaH3ACeMion3aBVfmu5UkHT1e9jgi2m p5MAoJIGjeIWs7LTQvy1jAIxq5IXyhsV =bDeC -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
