samba4 keytab management

Matthieu Patou mat at
Sun Aug 29 13:30:11 MDT 2010

  On 29/08/2010 19:28, srikumar108 at wrote:
> Hi Matthieu,
> First of all it was not my intention to be rude, and I do appreciate 
> your help. I tried the steps you outlined. I did the following: on the 
> host running samba4:
> # kinit administrator
> # net user ssh
> # net password set ssh <longstring>
> # ldbedit -H sam.ldb cn=ssh [ and add 'serviceprincipalname: 
> host/<fqdn>@REALM' ]
> # ktpass --out /etc/krb5.keytab --princ host/<fqdn>@REALM --pass 
> <longstring>
I'm not 100% sure that you need to specify the @REALM but it shouldn't 
> The command finishes without error and a keytab with 'host/xyz at REALM' 
> is created. But, when I try to ssh to the samba4 box, I get prompted 
> for password,, and even typing the correct password does not let me 
> in. I do get a ticket on the host that looks like 'host/xyz at REALM' but 
> it does no good. The error message from sshd is "Wrong principal". In 
> fact until I remove the keytab, no form of authentication works, not 
> even local login!
Well there is a simple way to check that your keytab is correct:

kinit -k -t the-keytab ssh  (you need to recreate a keytab for the 
ssh at REALM principal).

If klist gives you a ticket then it means that it's ok if not then well 
you'll have to search ... starting samba with -d 5 will gives you some 
clues about which principal openssh is trying to validate.


> Clearly, ktpass is creating something that no program on the samba4 
> box likes :-) BTW, I have joined a Mac to the samba4 domain, and 
> samba3 on the mac automatically created a keytab with the correct 
> entry. I can ssh into the mac with GSSAPI without any problem.
On host with samba3 net ads keytab is the easiest way to do.

> Please let me know if I can give you more information.
> Thanks!
> -----Original Message-----
> From: Matthieu Patou <mat at>
> To: srikumar108 at
> Cc: samba-technical at
> Sent: Sun, Aug 29, 2010 6:22 am
> Subject: Re: samba4 keytab management
>> Well it works on my workstation so be sure of your assertions ... :-) 
> First it's not very polite and then it's not true.Â
> Â
> ...
>> Â So please do try the solution that I proposed because it 
> worksÂ
> Â

Matthieu Patou
Samba Team

More information about the samba-technical mailing list