samba4 keytab management

Matthieu Patou mat at
Fri Sep 3 05:34:00 MDT 2010

  On 03/09/2010 09:19, srikumar108 at wrote:
> Hi Mathieu,
> Do you have any more suggestion?
Yes !

> I looked at the ssh user through ADUC, and the ssh a/c is not locked 
> or expired.
Yeah but we need to be sure that you can get a ticket runas 
/user:DOMAIN\user cmd is also an option in windows.

> After getting a new keytab and trying to kinit, I am getting the message:
> kinit: KDC has no support for encryption type while getting initial 
> credentials
> From samba.log:
> Kerberos: No client key matching pa-data (aes256-cts-hmac-sha1-96) -- 
> ssh at MYNET.COM
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Well that's obvious: you do not have an AES key for the user, which can 
be quite logical.

Do you change the forest/domain level of your samba4 ? if not did you 
specified  any level information on provision ?

It could be worth to dig this pb but in the short time I suggest to set 
this in your /etc/krb5.conf:

default_tgs_enctypes =  rc4-hmac des3-cbc-sha1 arcfour-hmac des-cbc-md5 
default_tkt_enctypes =  rc4-hmac des3-cbc-sha1 arcfour-hmac des-cbc-md5 

in the [libdefaults] section

Then retry your kinit.

In case I forget to tell you: I retried this week and it just 
works on my setup, I was able to generate keytabs for the http kerberos 
authentification so if you have a pb it's either because you didn't type 
the password correctly or because the problem is somewhere else.


Matthieu Patou
Samba Team

More information about the samba-technical mailing list