samba4 keytab management

Love Hörnquist Åstrand lha at
Sun Aug 29 12:40:24 MDT 2010


ktutil does add_entry that will add the string2key(password, principal) as the key to the entry in the keytab

Windows uses the same key for all SPN, you have to use the base principal in the string2key function, in heimdal you do that by using --salt, dunno about MIT.


29 aug 2010 kl. 08:28 skrev <srikumar108 at> <srikumar108 at>:

> Hi Matthieu,
> First of all it was not my intention to be rude, and I do appreciate your help. I tried the steps you outlined. I did the following: on the host running samba4:
> # kinit administrator
> # net user ssh
> # net password set ssh <longstring>
> # ldbedit -H sam.ldb cn=ssh [ and add 'serviceprincipalname: host/<fqdn>@REALM' ]
> # ktpass --out /etc/krb5.keytab --princ host/<fqdn>@REALM --pass <longstring>
> The command finishes without error and a keytab with 'host/xyz at REALM' is created. But, when I try to ssh to the samba4 box, I get prompted for password,, and even typing the correct password does not let me in. I do get a ticket on the host that looks like 'host/xyz at REALM' but it does no good. The error message from sshd is "Wrong principal". In fact until I remove the keytab, no form of authentication works, not even local login!
> Clearly, ktpass is creating something that no program on the samba4 box likes :-) BTW, I have joined a Mac to the samba4 domain, and samba3 on the mac automatically created a keytab with the correct entry. I can ssh into the mac with GSSAPI without any problem.
> Please let me know if I can give you more information.
> Thanks!
> -----Original Message-----
> From: Matthieu Patou <mat at>
> To: srikumar108 at
> Cc: samba-technical at
> Sent: Sun, Aug 29, 2010 6:22 am
> Subject: Re: samba4 keytab management
>> Well it works on my workstation so be sure of your assertions ... :-) 
> First it's not very polite and then it's not true. 
> ...
>>  So please do try the solution that I proposed because it 
> works 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list