[Samba] krb ticket for the computer account

Andreas Dan Larsson andreas.d.larsson at axis.com
Thu Nov 11 01:37:16 MST 2010

> [DOMAIN\computercomputer ~]$ klist -5
> klist: No credentials cache found (ticket cache
> FILE:/tmp/krb5cc_16777222)
> [DOMAIN\computercomputer ~]$ kinit -5 computer\$@domain.com
> Password for computer$@domain.com:
> As you know, computer account passwords are not supposed to be entered
> by
> users under normal circumstances.
> How can I obtain a krb5 ticket for the computer account?

Hi Mustafa,

To be able to check out a ticket in that way you need to set userprincipialname on the computeraccount. I do that when I join with:

# net ads join createupn="host/hostname.domain.tld at DOMAIN.TLD"

I then create a keytab file:

# net ads keytab create

You don't need a userprincipialname to have a keytab but you have to have upn set if you want to check out a ticket from a keytab to a ccache. 

There are some options in smb.conf about kerberos keytab that I guess you want to use. 

Andreas Larsson

More information about the samba mailing list