question about service principals (samba4)

Andrew Bartlett abartlet at
Tue Sep 21 17:39:33 MDT 2010

On Tue, 2010-09-21 at 16:58 -0400, Aaron Solochek wrote:
> I can see in ldap that computer objects have service principals associated with
> them, however, I can't seem to use them.
> I did a dump of the keys on the server with a net export keytab, and it didn't
> populate that keytab with the service principals as I'd hoped.  Thinking that
> the service principals might be aliases for the actual machine account
> principal, I tried renaming the key FOO$ to host/foo in that keytab and then
> tried authenticating with it, but it told me host/foo was not found in the
> database.
> My past experience with kerberos is all with heimdal and MIT krb, so I don't
> know in what ways I should expect things to be different with windows or samba
> KDC, but I do assume there is some way to get host/foo and nfs/foo keys so I can
> start deploying some kerberized services.  I was hoping the servicePrincipalName
> entries did some sort of magic for me, but failing that, I suppose I need to
> create completely separate accounts for each service principal I want.
> Also, what is the canonical way to extract a keytab containing only keys I
> specify?  

I hope to add extensions to our keytab management code to automatically
populate a keytab soon.  My idea is to allow servicePrincipalName to be
specified in the secrets.ldb entries. 

> And related to that, will samba4 ever support a kadmin interface,
> because that would be awesome.

We could, quite easily actually, but I've avoided doing so.  It would
tie us to our current choice of Kerberos implementation in a way that is
exposed to our users.  If there is a real desire, then I'm willing to
allow it - it just means building a little more of Heimdal.

(The problem is that the kadmin tool and protocol is not the same
between MIT and Heimdal)

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list