samba4 keytab management

Matthieu Patou mat at
Fri Aug 27 16:15:47 MDT 2010

> How do I get this done? I am trying to get ssh working with GSSAPI. Reading previous messages here, I added a krb5Keytab attribute
> to the host/xyz at REALM entry in secrets.ldb. This created a /etc/krb5.keytab file. However the principal listed there is in the form:
> HOST at REALM, rather than host/hostname at REALM.
What are you trying to do exactly ? have ssh + GSSAPI on the s4 server 
or on another server ?
For the samba4 dc you don't need a krb5keytab nor a serviceprincipalname 
as Samba is able to figure out that if you need a ticket for principal 
host/xyz at REALM that he can manage to do it with "just" the principal 
xyz at REALM.

So you basically need to have a keytab with a host/xyz at REALM entry.

The best in fact is to create a technical account and add a 
serviceprincipalname like host/xyz at REALM.

Then use in scripting/bin  to generate the keytab.
> I have tried renaming HOST at REALM to host/hostname at REALM with ktutil but it does not produce any result. And sshd is still prompting for
> password. From the sshd logs:
> debug1: Unspecified GSS failure.  Minor code may provide more information
> Key table entry not found
> Is there a procedure for generating new principals like imap/xyz at REALM, and putting it into a keytab file?
> Thanks!

Matthieu Patou
Samba Team

More information about the samba-technical mailing list