Generating krb5.keytab

Sergey Yanovich ynvich at
Thu Jun 12 12:43:23 GMT 2008

Matthieu PATOU wrote:
> Sergey Yanovich a écrit :
>> If you provisioned your installation with setup/provision, chances are 
>> that {prefix}/private/krb5.keytab is the file you need.
> I did a provision with a fairly recent snapshot 
> (74e1dd28f2f669bc196dc16b68c8b175bf835721)
>  but I don't see any krb5.keytab in my private dir.
> Is there any special parameters for provision ?

I just followed howto.txt to the letter. I am out of office, and the 
test box is switched off, so I cannot immediately provide exact answer. 
The file may have a different name, like secrets.keytab or similar. 
'ktutils' from Debian's heimdal-clients package was able to rename 
entries there from MYHOST$@REALM.NET to host/ at REALM.NET, 
and I was able to ssh to the Samba4 server, and ldaptools 
(ldap{add/modify/search}) were also able to authenticate using 

If you need to create keytab for a host other than your server, you need 
to play a bit with {prefix}/bin/ldbedit or ldbadd on your server like 
Andrew said in his reply to your original post. Samba is internally 
using ldbadd to register new hosts, and it creates Kerberos principals 
for the hosts. Having a 'krb5Keytab' ldap attribute in the query will 
create a keytab at the address the attribute points to.

Sergey Yanovich
Abstract Accounting Ltd.

More information about the samba-technical mailing list