question about service principals (samba4)

Andrew Bartlett abartlet at
Sun Sep 26 19:47:26 MDT 2010

On Sat, 2010-09-25 at 03:10 -0400, srikumar 108 wrote:
> On Fri, Sep 24, 2010 at 3:25 AM, Andrew Bartlett <abartlet at> wrote:
> >
> > I see now that you want a took that extracts keytabs for *other*
> > accounts.  I'll see what I can do to arrange that - would it be OK to
> > have it also reset the password at keytab generation time?
> >
> > Andrew Bartlett
> >.
> Yes, something like that. For the use I have in mind, resetting the
> password shouldn't matter, I use random pass for those a/cs anyway.
> What would a password reset imply, logon and logoff on the affected
> host or a service restart, am I correct?
> To be honest, I already have what I need with a little shell script
> and heimdal's ktutil. However, that may not be a solution for
> everybody (because of its dependence on heimdal's utilities). What I
> was after was to create an user a/c, like 'smtp-speedy' and then add
> an SPN like 'smtp/' for kerberized services running on
> other hosts (i.e. not on the DC), and which may not be running samba
> (so I can't use existing methods like samba3's 'net ads keytab'
> command). My thinking was, why should a web or mail server have to be
> joined to the AD domain, shouldn't ldap and kerberos be enough?
> Anyway, I think if the net command could be extended to dump just the
> keytab for a specified SPN, and optionally create the SPN on the fly
> given a samAccountName, it would be perfect. All one would have to do
> is:
> # net newuser smtp-foo <randompass>
> # net export keytab --samaccountname foo --principalname smtp/

A agree it's a sensible and useful way to expect to run Samba to host
unix computers well in it's domain.  I'll see what I can do to provide
commands like this.  The work I did deliberately decoupled the code from
our 'credentials' layer to try and make this easier to implement. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list