question about service principals (samba4)

srikumar 108 srikumar108 at
Wed Sep 22 17:47:07 MDT 2010

On Tue, Sep 21, 2010 at 4:58 PM, Aaron Solochek
<aarons-samba at> wrote:
> I can see in ldap that computer objects have service principals associated with
> them, however, I can't seem to use them.
> I did a dump of the keys on the server with a net export keytab, and it didn't
> populate that keytab with the service principals as I'd hoped.  Thinking that
> the service principals might be aliases for the actual machine account
> principal, I tried renaming the key FOO$ to host/foo in that keytab and then
> tried authenticating with it, but it told me host/foo was not found in the
> database.

This should absolutely work. In fact that is how I am getting sshd to
work on the host samba4 is running on. Copy the secrets.keytab into
/etc/krb5.keytab, and rename the principal from FOO$ to host/foo using
heimdal's ktutil. The only caveat is that you will have rebuild the
keytab every time you do an upgradeprovision.

> My past experience with kerberos is all with heimdal and MIT krb, so I don't
> know in what ways I should expect things to be different with windows or samba
> KDC, but I do assume there is some way to get host/foo and nfs/foo keys so I can
> start deploying some kerberized services.  I was hoping the servicePrincipalName
> entries did some sort of magic for me, but failing that, I suppose I need to
> create completely separate accounts for each service principal I want.

You can use the script from samba's scripting/bin directory
(it is not installed by default). It's modeled more-or-less on
windows' ktpass.exe, but I found it less convenient because you must
have the account's password, which is usually unknown in case of
machine accounts. What I do is, use 'net export keytab' to dump the
keytab, which contains ALL the principals. Then I use a shell script
which deletes all principals from the keytab except the one I want
(lame, I know), finally I use ktutil to rename the principal
appropriately. You can create a separate account for each service
principal, except in case of the host/xyz SPNs. The latter are already
created by samba for each machine account, so all you have to do is
extract the HOSTNAME$ principal and rename it to host/hostname.

It would be nice if the net command could be extended to something like:

net export keytab <keytab> --samaccountname <account> --serviceprincipal <spn>

That would insert the serviceprincipalname into the database as
needed. In the meanwhile one can do with shell wrapper, as I am doing.

> Also, what is the canonical way to extract a keytab containing only keys I
> specify?  And related to that, will samba4 ever support a kadmin interface,
> because that would be awesome.
> Thanks.
> -Aaron

More information about the samba-technical mailing list