[Samba] Getting host keys with samba

Robert Bannocks R.Bannocks at nhm.ac.uk
Tue Jan 2 16:55:07 GMT 2007

I have samba working find against our windows 2000/3 network under
solaris 9/10.  Users can attach to samba using the Kerberos credentials
on their windows XP PCs.


I would now like to kerberise the unix applications.  Statring with the
supplied Sun rlogind, telnetd, etc.


As I understand things I now need to have a host key on the end systems.


Will samba's net ads keytab create do this for me?  And avoid me having
to run ktpass.exe on windows for each and every host?


I am having some trouble finding documentation on net ads keytab


Running net ads keytab create certainly creates a key tab that I can
examine with klist -K however some encryption types are listed as
type-23 (Solaris' keytab)

I am using MIT Kerberos to compile samba against as I could not get
samba to compile against it and it has advantages of being more up to


Can anyone assist me with this?


Also I would like to know the answers to the following.


As I understand this the Service principle name that is assigned to the
machine when I join it to the domain is the equivalent of the NT 4.0
machine account, does this as in NT 4.0 change is password (and hence in
an ADS environment its SPN password) every so often?  If so is a
consequence of this that any keytab created with net ads kytab will
become out of date sooner or latter.  Does use Kerberos keytab in
smb.conf fix this? If not why might you use it?


Should samba and the kerberised applications share a Kerberos entry or
should I create a sepperate identity for the non-samba applications in
AD and extract a key tab via ktpass.exe on the Windows side of things.


Thanks for your help in advance






More information about the samba mailing list