samba4 keytab management

Matthieu Patou mat at
Sun Aug 29 04:22:59 MDT 2010

  On 29/08/2010 10:24, srikumar108 at wrote:
> Hi:
> I am trying to get ssh/GSSAPI working on the samba dc. Samba already 
> seems to create a HOSTNAME at REALM entry upon provisioning. And when I 
> try to ssh from another host,, I get a host/hostname at REALM ticket from 
> the samba server, but because I do not have a matching entry in the 
> keytab on the host running samba4, ssh server prompts for a password.
> Could you please detail the step for creating a keytab entry of the 
> form host/hostname at REALM, where <hostname> is the samba4 server's 
> fqdn? I tried your suggestion:
> # net user add ssh
> # ldbedit -H sam.ldb (to add "serviceprincipalname: host/hostname at REALM)
> Then run (which I guess is the counterpart to windows 
> ktpass.exe). But this script is completely broken. The very first 
> thing I noticed is the following in something that claims to be bash 
> script:
> function usage {
> blah blah
> }
> That's never going to fly in bash. Anyway, after correcting it, I tried
Well it works on my workstation so be sure of your assertions ... :-) 
First it's not very polite and then it's not true.

  bash --version
GNU bash, version 3.2.39(1)-release (i486-pc-linux-gnu)
Copyright (C) 2007 Free Software Foundation, Inc.

At least one mandatory parameter (--out, --princ, --pass) was not specified --out <keytabfile> --princ <principal> --pass <password>|*
       [--host hostname] [--enc <encryption>]
       [--ptype <type>] [--path-to-ldbsearch <path>]

Encoding should be one of:
  * des-cbc-crc
  * des-cbc-md5
  * rc4-hmac (default)
  * aes128-cts
  * aes256-cts

> ./  --out /tmp/host.keytab --princ host/<fqdn_hostname>@REALM 
> --pass '*'
> And it gets stuck at the following command which returns nothing:
> /usr/local/samba/bin/ldbsearch -H ldap:/</hostname> 
> (|(samaccountname=host/<hostname>@REALM)(serviceprincipalname=host/hostna
> me at REALM)) msds-keyversionnumber -k 1 -N
> Because there is no entry called "msds-keyversionnumber" .  In fact, 
> "ldapsearch" reveals no entry for "msds-keyversionnumber" anywhere! 
Don't mix ldbsearch and ldapsearch it's not the same thing.
> This is as far as I got.

Are you really sure ? that's not be rude barely not true :-)
So first try to be sure that:
  /usr/local/samba/bin/ldbsearch -H ldap:/</hostname> 
(serviceprincipalname=host/hostname at REALM) -k 1
then if it's not working try
  /usr/local/samba/bin/ldbsearch -H ldap:/</hostname> 
(serviceprincipalname=host/hostname) -k 1
returns something if not then it's most probably you have something wrong.

Then I discovered that can't be called yet from scripting/bin 
because pass to ldbsearch is wrong so copy into /usr/samba/bin

> However, looking at secrets.ldb, I already have the entry
> -------------------------------------------------------------------------
> -----
> dn: flatname=MYDOM,cn=Primary Domains
> objectClass: top
> objectClass: primaryDomain
> objectClass: kerberosSecret
> objectSid: S-1-5-21-3850869255-3736822605-807023173
> privateKeytab: secrets.keytab
> realm: MYDOM.COM
> saltPrincipal: host/hostname at .MYDOM.COM
>                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
it's not because somewhere you see the text that you want that it means 
what you want.
> samAccountName: HOSTNAME$
Because what is used by the keytab module is this entry.
> secureChannelType: 6
> objectGUID: fb8e32ec-c15c-4ff4-aafe-d184e5915fec
> whenCreated: 20100811203918.0Z
> uSNCreated: 7
> name: MYDOM
> flatname: MYDOM
> whenChanged: 20100829012243.0Z
> msDS-KeyVersionNumber: 7
> secret: xyz
> priorSecret:: xyz
> priorWhenChanged: 20100829012243.0Z
> uSNChanged: 61
> distinguishedName: flatname=MYDOM,cn=Primary Domains
> -------------------------------------------------------------------------
> -----
> So, it seems I already have what I need, but how to get it intoi a 
> keytab that the ssh server can read?
If you had read the keytab with ktutil you would have noticed that you 
have not what you need in your keytab.
Also even if you manage to get the keytab exported right (it's not 
impossible) this solution is not the good one as upgradeprovision change 
the DC password everytime it's runned you have to regenerate your keytab.

> I tried copying secrets.keytab to /etc/krb5.keytab, I tried adding 
> krb5keytab: /etc/krb5.keytab, but nothing works. My previous question 
> about how to create a NEW principal and associated keytab entry on the 
> samba dc also stands.
  So please do try the solution that I proposed because it works

> I really appreciate any help you can give me, because I am totallly 
> stumped.
> -----Original Message-----
> From: Matthieu Patou <mat at>
> To: samba-technical at
> Sent: Fri, Aug 27, 2010 6:15 pm
> Subject: Re: samba4 keytab management
>  Hello,Â
>> How do I get this done? I am trying to get ssh working with GSSAPI. 
> Reading previous messages here, I added a krb5Keytab attributeÂ
>> to the host/xyz at REALM entry in secrets.ldb. This created a 
> /etc/krb5.keytab file. However the principal listed there is in the 
> form:Â
>> Â
>> HOST at REALM, rather than host/hostname at REALM.Â
> What are you trying to do exactly ? have ssh + GSSAPI on the s4 server 
> or on another server ?Â
> For the samba4 dc you don't need a krb5keytab nor a 
> serviceprincipalname as Samba is able to figure out that if you need a 
> ticket for principal host/xyz at REALM that he can manage to do it with 
> "just" the principal xyz at REALM.Â
> Â
> So you basically need to have a keytab with a host/xyz at REALM entry.Â
> Â
> The best in fact is to create a technical account and add a 
> serviceprincipalname like host/xyz at REALM.Â
> Â
> Then use in scripting/bin  to generate the keytab.Â

Matthieu Patou
Samba Team

More information about the samba-technical mailing list