berni berni at
Thu Sep 25 20:00:13 GMT 2003


This list is the only place in the whole internet, where I found anything
about the keytab. Though, I hope I'm in the right place for my question:

I've installed samba-3.0.0rc2 a while ago and retried with the final
samba-3.0.0 today. I'm using freebsd-5.2 with krb5-1.27 (MIT), where all
compiled well (after removing a line in config.h that #defines

After running "/usr/local/samba/bin/net ads join -U Administrator", I could
immediatly login to the samba-server with win2k, and also smbclient did work
like expected. (yeah!!!)

But now, I have a big problem: samba will remain the only kerberized service
on my freebsd-box as long as I cannot find a way to get the password
(generated by the net utility) for the host/hostname at REALM principal into my

int net_ads_join(int argc, const char **argv)
    in net_ads.c: tmp_password =

I tried to make "net" dump out the above password to stdout and added
entries to /etc/krb5.conf with ktutil:
addent -password -p host/ at REALM -k 1 -e des-cbc-crc

:::: Before I forget: I also had to add the mapping for
host/ at REALM to the machine account on the win2k
:::: ktpass -princ at REALM -mapuser hostname$ -mapOp

It didn't work! Should it ? Is the "PATCH samba 3-keytab", you are talking
about all the time, what I would need instead ?
Is there another way to do this ?
Is it a bug ?

Another thing I tried, was to setup a new machine account in the domain
called hostname-host. But mapping the host/ at REALM to
this account didn't make the principal accessible. I think it might be
masked by the first machine-account and principal.

I guess there must be a way to use samba 3 together with other kerberized
software! I would love to see the net utility automatically setup the
host/ at REALM key(s) in /etc/krb5.keytab. This would be
the most comfortable way to join a machine into the domain! No more ktpass
on Windows!

Thank you for any help on this.

More information about the samba-technical mailing list