question about service principals (samba4)

Michael Wood esiotrot at
Sat Sep 25 12:21:46 MDT 2010

On 24 September 2010 15:52, Aaron Solochek <aarons-samba at> wrote:
> On 09/24/2010 01:13 AM, Andrew Bartlett wrote:
>> On Thu, 2010-09-23 at 12:48 -0400, Aaron Solochek wrote:
>>> Ok, well I did manage to get the host/foo keys by writing a shell script to
>>> filter the net export keytab file down to what I wanted, then using ktutil from
>>> heimdal to rename the FOO$ to host/foo, and gssapi key exchange for ssh now works.
>> Now you just need to set the krb5keytab and servicePrinicpalName
>> attributes in secrets.ldb, and we will handle the rest.
>> It would be good if you can test it, using the current tree.
> I have no idea how to do anything with the ldb files other than dump them with
> tdbdump.  [...]

You can search/modify/etc. the ldb files similarly to LDAP using
ldbsearch instead of ldapsearch, ldbmodify instead of ldapmodify etc.

Try also:
# ldbedit -H /usr/local/samba/private/secrets.ldb
'(servicePrincipalName=*)' servicePrincipalName

Not sure about krb5keytab, though.  I don't see any attributes like
that in my secrets.ldb.

If it's supposed to be privateKeytab, then you could use this:

ldbedit -H secrets.ldb '(|(servicePrincipalName=*)(privateKeytab=*))'
servicePrincipalName privateKeytab

Michael Wood <esiotrot at>

More information about the samba-technical mailing list