samba4 keytab management

srikumar 108 srikumar108 at
Mon Sep 6 17:28:06 MDT 2010

Hi Mathieu:

I have partial success now. First, I created an user in Windows ADUC,
and then used ktpass.exe (in Windows again) to create the keytab. Then
I copied over the keytab to the samba4 host and also looked at the
user's entry with ldbsearch to figure out what was going on. Then I
recreated those steps in Linux:

1. net newuser imap <password>

2. 'ldbedit -H sam.lbd cn=imap' to add the following:
servicePrincipalName: imap/.f.q.d.n
userPrincipalName: imap/f.q.d.n at REALM

The 'userPrincipalName' entry is added by Windows ktpass.exe, but it
was not strictly necessary. The trick was to add the serviceprincipal
WITHOUT the realm part.

3. ktpass --out imap.keytab --princ imap/f.q.d.n --pass <password>

Success! I can get a ticket, and Thunderbird with GSSAPI works.
However, the same trick does not work for creating a host/f.q.d.n
keytab :-(

More information about the samba-technical mailing list