Child pages
  • Exporting Keytabs from Active Directory
Skip to end of metadata
Go to start of metadata

Work in progress

This site is in the process of being reviewed and updated.

The kvno is different in w2k3 as opposed to w2k. In w2k the kvno was always 1. In w2k3 the key version number can be different. Everytime you reset the password on the account in AD, the kvno is raised by 1. So before you run KTPASS read out the current kvno (using adsi or ldap). The atribute is "msDS-KeyVersionNumber".

Need domain name pre-pended to machine name:

C:\>ktpass -princ host/server1.example.com@EXAMPLE.COM mapuser server1 -pass password -out server1
DsCrackNames returned 0x2 in the name entry for server1.
ktpass:failed getting target domain for specified user.

"DsCracknames" usually means that the account cannot be found. Looking at your syntax you are trying to map a computer account. If so, you need to add a dollar sign "$" for Windows.

C:\>ktpass -princ host/server1.example.com@EXAMPLE.COM mapuser EXAMPLE\server1$ -pass password -out server1 -crypto DES-CBC-MD5 -kvno 4
Targeting domain controller: KDC.example.com
Using legacy password setting method
Successfully mapped host/server1.example.com to server1$.
WARNING: Account server1$ is not a user account (uacflags=0x11001).
WARNING: Resetting server1$'s password may cause authentication problems if server1$ is being used as a server.

Reset server1$'s password [ERODRIGUEZ:y/n]?  y
WARNING: pType and account type do not match. This might cause  problems.
Key created.
Output keytab to server1:
Keytab version: 0x502
keysize 59 host/server1.example.com@EXAMPLE.COM ptype 0 (KRB5_NT_UNKNOWN) vno 4 etype 0x3 (DES-CBC-MD5)
keylength 8 (0x6410ec3e6d85babc)
tdbtool
open /etc/samba/secrets.tdb
dump
---------------------most useful args
[ERODRIGUEZ:- /]          out : Keytab to produce
[ERODRIGUEZ:- /]        princ : Principal name (user@REALM)
[ERODRIGUEZ:- /]         pass : password to use
                     use "*" to prompt for password.
[ERODRIGUEZ:- +]      rndPass : ... or use +rndPass to generate a random password
[ERODRIGUEZ:- /]      minPass : minimum length for random password (def:15)
[ERODRIGUEZ:- /]      maxPass : maximum length for random password (def:256)
---------------------less useful stuff
[ERODRIGUEZ:- /]      mapuser : map princ (above) to this user account (default: don't)
[ERODRIGUEZ:- /]        mapOp : how to set the mapping attribute (default: add it)
[ERODRIGUEZ:- /]        mapOp :  is one of:
[ERODRIGUEZ:- /]        mapOp :        add : add value (default)
[ERODRIGUEZ:- /]        mapOp :        set : set value
[ERODRIGUEZ:- +]      DesOnly : Set account for des-only encryption (default:don't)
[ERODRIGUEZ:- /]           in : Keytab to read/digest
---------------------options for key generation
[ERODRIGUEZ:- /]       crypto : Cryptosystem to use
[ERODRIGUEZ:- /]       crypto :  is one of:
[ERODRIGUEZ:- /]       crypto : DES-CBC-CRC : for compatibility
[ERODRIGUEZ:- /]       crypto : DES-CBC-MD5 : for compatibliity
[ERODRIGUEZ:- /]       crypto : RC4-HMAC-NT : default 128-bit encryption
[ERODRIGUEZ:- /]        ptype : principal type in question
[ERODRIGUEZ:- /]        ptype :  is one of:
[ERODRIGUEZ:- /]        ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended
[ERODRIGUEZ:- /]        ptype : KRB5_NT_SRV_INST : user service instance
[ERODRIGUEZ:- /]        ptype : KRB5_NT_SRV_HST : host service instance
[ERODRIGUEZ:- /]         kvno : Override Key Version Number
                     Default: query DC for kvno.  Use /kvno 1 for Win2K compat.
[ERODRIGUEZ:- +]       Answer : +Answer answers YES to prompts.  -Answer answers NO.
[ERODRIGUEZ:- /]       Target : Which DC to use.  Default:detect
---------------------options for trust attributes (Windows Server 2003 Sp1 Only
[ERODRIGUEZ:- /] MitRealmName : MIT Realm which we want to enable RC4 trust on.
[ERODRIGUEZ:- /]  TrustEncryp : Trust Encryption to use; DES is default
[ERODRIGUEZ:- /]  TrustEncryp :  is one of:
[ERODRIGUEZ:- /]  TrustEncryp :        RC4 : RC4 Realm Trusts (default)
[ERODRIGUEZ:- /]  TrustEncryp :        DES : go back to DES
C:\>ktpass -princ host/server1.example.com@EXAMPLE.COM mapuser EXAMPLE\host-server1 -pass password -out host-server1 -crypto DES-CBC-MD5 +DesOnly -ptype KRB5_NT_PRINCIPAL
Targeting domain controller: KDC.example.com
Using legacy password setting method
Successfully mapped host/server1.example.com to host-server1.
Key created.
Output keytab to host-server1:
Keytab version: 0x502
keysize 59 host/server1.example.com@EXAMPLE.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x3 (DES-CBC-MD5)
keylength 8 (0x6410ec3e6d85babc)
Account host-server1 has been set for DES-only encryption.
C:\>ktpass -princ host/server1.example.com@EXAMPLE.COM mapuser EXAMPLE\host-server1$ -pass password -out host-server1 -crypto DES-CBC-MD5 +DesOnly -ptype KRB5_NT_SRV_HST
Targeting domain controller: KDC.example.com
Using legacy password setting method
Successfully mapped host/server1.example.com to HOST-EXAMPLE$.
WARNING: Account HOST-EXAMPLE$ is not a user account (uacflags=0x1021).
WARNING: Resetting HOST-EXAMPLE$'s password may cause authentication problems if HOST-EXAMPLE$ is being used as a server.

Reset HOST-EXAMPLE$'s password [ERODRIGUEZ:y/n]?  y
Key created.
Output keytab to host-server1:
Keytab version: 0x502
keysize 59 host/server1.example.com@EXAMPLE.COM ptype 3 (KRB5_NT_SRV_HST) vno 3 etype 0x3 (DES-CBC-MD5)
keylength 8 (0x6410ec3e6d85babc)
Account HOST-EXAMPLE$ has been set for DES-only encryption.
  • No labels