question about service principals (samba4)

srikumar 108 srikumar108 at
Sat Sep 25 01:10:43 MDT 2010

On Fri, Sep 24, 2010 at 3:25 AM, Andrew Bartlett <abartlet at> wrote:

> I see now that you want a took that extracts keytabs for *other*
> accounts.  I'll see what I can do to arrange that - would it be OK to
> have it also reset the password at keytab generation time?
> Andrew Bartlett

Yes, something like that. For the use I have in mind, resetting the
password shouldn't matter, I use random pass for those a/cs anyway.
What would a password reset imply, logon and logoff on the affected
host or a service restart, am I correct?

To be honest, I already have what I need with a little shell script
and heimdal's ktutil. However, that may not be a solution for
everybody (because of its dependence on heimdal's utilities). What I
was after was to create an user a/c, like 'smtp-speedy' and then add
an SPN like 'smtp/' for kerberized services running on
other hosts (i.e. not on the DC), and which may not be running samba
(so I can't use existing methods like samba3's 'net ads keytab'
command). My thinking was, why should a web or mail server have to be
joined to the AD domain, shouldn't ldap and kerberos be enough?

Anyway, I think if the net command could be extended to dump just the
keytab for a specified SPN, and optionally create the SPN on the fly
given a samAccountName, it would be perfect. All one would have to do

# net newuser smtp-foo <randompass>
# net export keytab --samaccountname foo --principalname smtp/


More information about the samba-technical mailing list