net ads keytab add

Ian Grant ian.grant at
Wed Mar 15 17:00:20 GMT 2006

Dear Samba types,

Thanks for all your work on SAMBA, it's an awesome project.

I have been abusing the samba net utility, trying to use it to join a  
host to a Windows 2k3 AD realm for the purposes of accessing NFS  
filesystems using krb5 authentication via rpcsec. I feel it so nearly  
works I can't leave it alone. (It saves such a huge amount of fussing  
with ktpass.exe etc on the domain controllers.)

I'm using SAMBA 3.0.10 on an FC3 machine. I have 'use kerberos keytab  
= true' in smb.conf. I can join the realm and create a keytab on the  
client machine using something like this:

sudo net ads -U ig206 join krb5ServicePrincipals
sudo net ads -U ig206 keytab create

Then I get a keytab:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
    2 host/ at AD.CL.CAM.AC.UK (DES cbc mode with RSA- 


But the kerberos kinit utility can't get a TGT:

kinit -k host/ at AD.CL.CAM.AC.UK
kinit(v5): Client not found in Kerberos database while getting  
initial credentials

The results of net ads search '(sAMAccountName=dwyryd$)' look OK to  
me. Are there any other attributes like msDS-KeyVersionNumber that I  
can query via LDAP to see the underlying kerberos principals database  
that AD maintains?

Thanks for your time

Ian Grant
Cambridge Computer Lab.

More information about the samba-technical mailing list