samba4 keytab management

srikumar108 at srikumar108 at
Sun Aug 29 20:10:42 MDT 2010

> the samaccountname of this user is ssh right ? (the one you created 
with net user) 
> have you tried that with kinit ssh at REALM you are able to get a ticket 

Samba is running on, samdomain MYNET, realm MYNET.COM. 
sshd is running on same host.

First I did:

# net user add ssh
# net password set samba4test
# ldbedit -H sam.ldb cn=ssh <add serviceprincipalname>

Here's the resulting user:

# ldbedit -H sam.ldb cn=ssh

# record 1
dn: CN=ssh,CN=Users,DC=mynet,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: ssh
instanceType: 4
whenCreated: 20100830011947.0Z
uSNCreated: 5136
name: ssh
objectGUID: 7924267d-c73f-4988-aaf8-c85daf51a7b3
userAccountControl: 546
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-3850869255-3736822605-807023173-1133
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: ssh
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mynet,DC=com
servicePrincipalName: host/ at MYNET.COM
pwdLastSet: 129276052140000000
whenChanged: 20100830012654.0Z
uSNChanged: 5145
distinguishedName: CN=ssh,CN=Users,DC=mynet,DC=com

# Referral
ref: ldap://,DC=mynet,DC=com

# returned 2 records
# 1 entries
# 1 referrals

Keytab created with the command:
# ktpass  --out /tmp/krb5.keytab --princ host/ at MYNET.COM 
--pass 'samba4test'

Output from the relevant part of  ktpass:
# ldbsearch -H ldap:// 
'(|(samaccountname=host/ at MYNET.COM)(serviceprincipalname=h
ost/ at MYNET.COM))' msds-keyversionnumber -k 1 -N
# record 1
dn: CN=ssh,CN=Users,DC=mynet,DC=com
msDS-KeyVersionNumber: 3

# Referral
ref: ldap://,DC=mynet,DC=com

# returned 2 records
# 1 entries
# 1 referrals

Output of ktutil:
# ktutil
ktutil:  rkt krb5.keytab
ktutil:  l
slot KVNO Principal
---- ---- 
   1    3       host/ at MYNET.COM
ktutil:  q

# cp krb5.keytab /etc

# kinit ssh
Password for ssh at MYNET.COM:
kinit: Clients credentials have been revoked while getting initial 

Is there any other info I should provide?


More information about the samba-technical mailing list