question about service principals (samba4)

Aaron Solochek aarons-samba at
Tue Sep 21 14:58:50 MDT 2010

I can see in ldap that computer objects have service principals associated with
them, however, I can't seem to use them.

I did a dump of the keys on the server with a net export keytab, and it didn't
populate that keytab with the service principals as I'd hoped.  Thinking that
the service principals might be aliases for the actual machine account
principal, I tried renaming the key FOO$ to host/foo in that keytab and then
tried authenticating with it, but it told me host/foo was not found in the

My past experience with kerberos is all with heimdal and MIT krb, so I don't
know in what ways I should expect things to be different with windows or samba
KDC, but I do assume there is some way to get host/foo and nfs/foo keys so I can
start deploying some kerberized services.  I was hoping the servicePrincipalName
entries did some sort of magic for me, but failing that, I suppose I need to
create completely separate accounts for each service principal I want.

Also, what is the canonical way to extract a keytab containing only keys I
specify?  And related to that, will samba4 ever support a kadmin interface,
because that would be awesome.



More information about the samba-technical mailing list