On 26.4.2013 6:13, Andrew Bartlett wrote: > On Wed, 2013-04-24 at 17:39 +0300, Pekka L.J. Jalkanen wrote: >> By the way, is a kerberos keytab actually necessary to decrypt the >> GSS-API packets in Wireshark? Samba Wiki >> (https://wiki.samba.org/index.php/Capture_Packets) doesn't say so (just >> tells to capture the kerberos exchange), but I became somewhat >> suspicious, while reading the following page: >> http://wiki.wireshark.org/Kerberos >> >> Just trying to figure out how to inspect my own capture here... > > Yes, the whole point of GSSAPI security with Kerberos is that without > super-secret-knowledge (the keytab in this case) you can't decrypt a > network sniff.
OK... but in that case I'm having another rather surprising problem: root@samba4dc:~# samba-tool domain exportkeytab ./dcdump.keytab [0000] 00 00 00 00 62 00 00 00 00 00 00 00 20 00 20 00 ....b... .... . . [0010] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . . [0020] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . . [0030] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . . [0040] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . . [0050] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . . [0060] 20 00 20 00 20 00 20 00 20 00 20 00 50 00 00 . . . . . .P.. ERROR(runtime): uncaught exception - Invalid argument File "/usr/local/samba4/lib/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/local/samba4/lib/python2.6/site-packages/samba/netcmd/domain.py", line 103, in run net.export_keytab(keytab=keytab, principal=principal) So it seems that for some reason, exporting the keytab from Samba DC doesn't work. I tried to kinit first using the domain admin account, but to no avail--exportkeytab still throws the same error. Now, for the purposes of bug 9828 I could probably export it from our Windows DC using ktpass.exe, but I'd naturally like to know what's wrong here. What should I do? Am I missing something here? Pekka L.J. Jalkanen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba