samba4 kerberos user principals with instances

steve steve at
Tue Apr 16 00:09:03 MDT 2013

On 16/04/13 02:49, David Mansfield wrote:
> On 04/15/2013 06:59 PM, Dewayne wrote:
>> David,
>> The creation of additional principles in samba4 is achieved by 
>> creating a user record and then the spn.
>> Example:
>> samba-tool user create http-user --random-password
>> samba-tool spn add HTTP/  http-user
>> samba-tool domain exportkeytab --principal=HTTP/ 
>> http.keytab
>> Samba4 Kerberos is based on the heimdal implementation. Perhaps you 
>> could be clearer about what aspect you regard as rubbish?
> First and foremost, the "rubbish" was a joke based on the other 
> mailing list thread today that seemed to take over my inbox...  I 
> don't think it's "rubbish" in the least, on the contrary!
> Regarding SPN, I've used it to create service principals, and I can 
> create the SPN on my user,e.g.:
> samba-tool spn add david/admin david
> But I need to obtain a tgt for this principal, so it needs a password 
> somehow, rather than an exported keytab.  It's to be used by a user, 
> to authenticate to a service with a different credential than the 
> "regular" one.  I've seen people using this to restrict root access 
> (user/root at REALM).
How about a keytab and kinit?
samba-tool domain exportkeytab=/etc/david.keytab --principal=david/admin
then just
kinit -k -t /etc/david.keytab david/admin
or you can put the principal in the default keytab (usually 
/etc/krb5.keytab) and simplify it to:
kinit -k david/admin
That will get you the tgt.

More information about the samba-technical mailing list