[Samba] Understanding kerberos principals in samba4

Quinn Plattel qiet72 at gmail.com
Fri Jul 13 07:12:20 MDT 2012


When I have a service on a client that tries to use kerberos and I get
errors such as these in the log.samba file:

Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
entry found in hdb

Does this mean that the kerberos authentication system is looking for the
principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" in samba4's domain
or in the server's /etc/krb5.keytab file? I have tried adding this
principal to the /etc/krb5.keytab file using ktutil, but this error still
pops up.  I noticed that you can export a principal into a keytab file
using "samba-tool domain exportkeytab" but how do you add the principal to
the domain?  Will adding the missing principal using "samba-tool spn" solve
problems like these?

According to https://help.ubuntu.com/community/SingleSignOn , you add a
host to the kerberos realm by doing these two commands on the kerberos

kadmin: addprinc -randkey host/client.example.com @ EXAMPLE.COM
kadmin: ktadd -k ~/client.keytab host/client.example.com @ EXAMPLE.COM

I am guessing that "kadmin: ktadd -k ~/client.keytab host/client.example.com@
EXAMPLE.COM" is the equivalent of "samba-tool domain exportkeytab
~/client.keytab --principal=host/client.example.com" but what is the
equivalent of "kadmin: addprinc -randkey host/client.example.com @
EXAMPLE.COM" under samba4 ???


More information about the samba mailing list