question about service principals (samba4)

Aaron Solochek aarons-samba at
Sat Sep 25 10:46:03 MDT 2010

On 09/25/2010 03:10 AM, srikumar 108 wrote:
> On Fri, Sep 24, 2010 at 3:25 AM, Andrew Bartlett <abartlet at> wrote:
>> I see now that you want a took that extracts keytabs for *other*
>> accounts.  I'll see what I can do to arrange that - would it be OK to
>> have it also reset the password at keytab generation time?
>> Andrew Bartlett
>> .
> Yes, something like that. For the use I have in mind, resetting the
> password shouldn't matter, I use random pass for those a/cs anyway.
> What would a password reset imply, logon and logoff on the affected
> host or a service restart, am I correct?
> To be honest, I already have what I need with a little shell script
> and heimdal's ktutil. However, that may not be a solution for
> everybody (because of its dependence on heimdal's utilities). What I
> was after was to create an user a/c, like 'smtp-speedy' and then add
> an SPN like 'smtp/' for kerberized services running on
> other hosts (i.e. not on the DC), and which may not be running samba
> (so I can't use existing methods like samba3's 'net ads keytab'
> command). My thinking was, why should a web or mail server have to be
> joined to the AD domain, shouldn't ldap and kerberos be enough?

This situation is pretty much exactly why I'd like kadmin running on the kdc.
It is unfortunate that the protocols are different between Heimdal/MIT, and I am
assuming that it's non-trivial to swap in MIT krb5 in the samba build, but
kerberos doesn't imply samba, and a network could very well have machines that
want kerberos but not samba.  It ought to be possible to set up such a machine
using the kerberos tools it will already have, and not be required to extract
the keys on some third machine and transfer them over.

> Anyway, I think if the net command could be extended to dump just the
> keytab for a specified SPN, and optionally create the SPN on the fly
> given a samAccountName, it would be perfect. All one would have to do
> is:
> # net newuser smtp-foo <randompass>
> # net export keytab --samaccountname foo --principalname smtp/

Yes, this too.  I get the impression that the net utility is still very much a
work in progress, but in the end it would be pretty awesome if it provided the
union of the functionality you can get from ktutil/kadmin from both MIT and
Heimdal.  Including:

*getting a key from the kdc for a keytab
*generating a key in a keytab or on the kdc
*modifying (including renaming) any attribute of a key in a keytab or on the kdc
*copying a key to a key with a new name, but otherwise the same
*merging keytabs together
*wildcard support for matching keys

Some of those things are pretty obnoxious to do right now with any one toolset.
For example, if I want to copy a key on the kdc, I need to login to the kdc,
dump the database to a file, copy the line of the file, rename the principal,
then load that file back into the database.

Finally, it would be nice if the utilities that assume conventions like ksu
assuming username/root or username/admin would work.  I'm not sure how well this
can fit with the AD type security group stuff, but even if /root and /admin were
aliases the way SPNs are for machine accounts, it would be helpful.


More information about the samba-technical mailing list