question about service principals (samba4)

Andrew Bartlett abartlet at
Fri Sep 24 01:25:45 MDT 2010

On Fri, 2010-09-24 at 02:32 -0400, srikumar 108 wrote:
> On Fri, Sep 24, 2010 at 1:13 AM, Andrew Bartlett <abartlet at> wrote:
> > On Thu, 2010-09-23 at 12:48 -0400, Aaron Solochek wrote:
> >
> > Now you just need to set the krb5keytab and servicePrinicpalName
> > attributes in secrets.ldb, and we will handle the rest.
> >
> I can't see any record in secrets.ldb other than those belonging to
> the domain controller. What about other computer accounts? And what
> about other accounts that I created to generate keytabs (spn's like
> imap, smtp, http and so on)? I can't see any entries for those in
> secrets.ldb.

This facility is so far only for Samba4's own DC account (so you can SSH
into the DC, for example, or do DNS updates against BIND), and for
Samba4 member servers.

The best option at this point is to join the other hosts as member
servers, and then edit *their* secrets.ldb to mention the services for
which they are registered.

I see now that you want a took that extracts keytabs for *other*
accounts.  I'll see what I can do to arrange that - would it be OK to
have it also reset the password at keytab generation time?

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list