samba4 keytab management

srikumar108 at srikumar108 at
Sun Aug 29 09:28:46 MDT 2010

Hi Matthieu,

First of all it was not my intention to be rude, and I do appreciate 
your help. I tried the steps you outlined. I did the following: on the 
host running samba4:

# kinit administrator

# net user ssh

# net password set ssh <longstring>

# ldbedit -H sam.ldb cn=ssh [ and add 'serviceprincipalname: 
host/<fqdn>@REALM' ]

# ktpass --out /etc/krb5.keytab --princ host/<fqdn>@REALM --pass 

The command finishes without error and a keytab with 'host/xyz at REALM' 
is created. But, when I try to ssh to the samba4 box, I get prompted 
for password,, and even typing the correct password does not let me in. 
I do get a ticket on the host that looks like 'host/xyz at REALM' but it 
does no good. The error message from sshd is "Wrong principal". In fact 
until I remove the keytab, no form of authentication works, not even 
local login!

Clearly, ktpass is creating something that no program on the samba4 box 
likes :-) BTW, I have joined a Mac to the samba4 domain, and samba3 on 
the mac automatically created a keytab with the correct entry. I can 
ssh into the mac with GSSAPI without any problem.

Please let me know if I can give you more information.


-----Original Message-----
From: Matthieu Patou <mat at>
To: srikumar108 at
Cc: samba-technical at
Sent: Sun, Aug 29, 2010 6:22 am
Subject: Re: samba4 keytab management

> Well it works on my workstation so be sure of your assertions ... :-) 
First it's not very polite and then it's not true. 

> So please do try the solution that I proposed because it 

More information about the samba-technical mailing list