samba4 keytab management

srikumar108 at srikumar108 at
Sun Aug 29 00:24:02 MDT 2010


I am trying to get ssh/GSSAPI working on the samba dc. Samba already 
seems to create a HOSTNAME at REALM entry upon provisioning. And when I 
try to ssh from another host,, I get a host/hostname at REALM ticket from 
the samba server, but because I do not have a matching entry in the 
keytab on the host running samba4, ssh server prompts for a password.

Could you please detail the step for creating a keytab entry of the 
form host/hostname at REALM, where <hostname> is the samba4 server's fqdn? 
I tried your suggestion:

# net user add ssh

# ldbedit -H sam.ldb (to add "serviceprincipalname: host/hostname at REALM)

Then run (which I guess is the counterpart to windows 
ktpass.exe). But this script is completely broken. The very first thing 
I noticed is the following in something that claims to be bash script:

function usage {
blah blah

That's never going to fly in bash. Anyway, after correcting it, I tried

./  --out /tmp/host.keytab --princ host/<fqdn_hostname>@REALM 
--pass '*'

And it gets stuck at the following command which returns nothing:

/usr/local/samba/bin/ldbsearch -H ldap:/</hostname> 
me at REALM)) msds-keyversionnumber -k 1 -N

Because there is no entry called "msds-keyversionnumber" .  In fact, 
"ldapsearch" reveals no entry for "msds-keyversionnumber" anywhere! 
This is as far as I got.

However, looking at secrets.ldb, I already have the entry
dn: flatname=MYDOM,cn=Primary Domains
objectClass: top
objectClass: primaryDomain
objectClass: kerberosSecret
objectSid: S-1-5-21-3850869255-3736822605-807023173
privateKeytab: secrets.keytab
realm: MYDOM.COM
saltPrincipal: host/hostname at .MYDOM.COM
samAccountName: HOSTNAME$
secureChannelType: 6
objectGUID: fb8e32ec-c15c-4ff4-aafe-d184e5915fec
whenCreated: 20100811203918.0Z
uSNCreated: 7
name: MYDOM
flatname: MYDOM
whenChanged: 20100829012243.0Z
msDS-KeyVersionNumber: 7
secret: xyz
priorSecret:: xyz
priorWhenChanged: 20100829012243.0Z
uSNChanged: 61
distinguishedName: flatname=MYDOM,cn=Primary Domains

So, it seems I already have what I need, but how to get it intoi a 
keytab that the ssh server can read? I tried copying secrets.keytab to 
/etc/krb5.keytab, I tried adding krb5keytab: /etc/krb5.keytab, but 
nothing works. My previous question about how to create a NEW principal 
and associated keytab entry on the samba dc also stands.

I really appreciate any help you can give me, because I am totallly 

-----Original Message-----
From: Matthieu Patou <mat at>
To: samba-technical at
Sent: Fri, Aug 27, 2010 6:15 pm
Subject: Re: samba4 keytab management

> How do I get this done? I am trying to get ssh working with GSSAPI. 
Reading previous messages here, I added a krb5Keytab attribute 
> to the host/xyz at REALM entry in secrets.ldb. This created a 
/etc/krb5.keytab file. However the principal listed there is in the 
> HOST at REALM, rather than host/hostname at REALM. 
What are you trying to do exactly ? have ssh + GSSAPI on the s4 server 
or on another server ? 
For the samba4 dc you don't need a krb5keytab nor a 
serviceprincipalname as Samba is able to figure out that if you need a 
ticket for principal host/xyz at REALM that he can manage to do it with 
"just" the principal xyz at REALM. 
So you basically need to have a keytab with a host/xyz at REALM entry. 
The best in fact is to create a technical account and add a 
serviceprincipalname like host/xyz at REALM. 
Then use in scripting/bin  to generate the keytab. 

More information about the samba-technical mailing list