samba4 keytab management

Aaron Solochek aarons-samba at
Tue Oct 19 11:00:15 MDT 2010

On 10/19/2010 08:14 AM, Trever L. Adams wrote:
>  On 09/06/2010 05:28 PM, srikumar 108 wrote:
>> 2. 'ldbedit -H sam.lbd cn=imap' to add the following:
>> servicePrincipalName: imap/.f.q.d.n
>> userPrincipalName: imap/f.q.d.n at REALM
>> The 'userPrincipalName' entry is added by Windows ktpass.exe, but it
>> was not strictly necessary. The trick was to add the serviceprincipal
>> WITHOUT the realm part.
> Sorry for responding to an old thread, but I thought I would chime in.
> The userPrincipalName is actually required by some programs for things
> to work properly. One example of this is dovecot SASL being used by
> postfix (client Thunderberd 3.1.4) for smtp). I have been trying to get
> this to work for about a week.
> Just for grins, I added the userPrincipalName in the format listed above
> and all of my problems disappeared.
> Any fix to would be GREATLY appreciated.

I believe this is because many programs want to be able to get those service
principal tickets.  The samba KDC doesn't let you do that.  Setting
userPrincipalName ended up being a temporary fix for my issue -- NFS4 wants to
be able to get nfs/foo tickets on both the server and clients.  However, since
you can only set one userPrincipalName, I still think the right solution is
allowing clients to get service principal tickets.


More information about the samba-technical mailing list