[Samba] Understanding kerberos principals in samba4

Andrew Bartlett abartlet at samba.org
Fri Jul 13 17:27:25 MDT 2012

On Fri, 2012-07-13 at 15:12 +0200, Quinn Plattel wrote:
> Hi,
> When I have a service on a client that tries to use kerberos and I get
> errors such as these in the log.samba file:
> Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such
> entry found in hdb
> Does this mean that the kerberos authentication system is looking for the
> principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" in samba4's domain

That would be in the domain.  hdb is a reference to our sam.ldb in this

> or in the server's /etc/krb5.keytab file? I have tried adding this
> principal to the /etc/krb5.keytab file using ktutil, but this error still
> pops up.  I noticed that you can export a principal into a keytab file
> using "samba-tool domain exportkeytab" but how do you add the principal to
> the domain?  Will adding the missing principal using "samba-tool spn" solve
> problems like these?


> According to https://help.ubuntu.com/community/SingleSignOn , you add a
> host to the kerberos realm by doing these two commands on the kerberos
> server:
> kadmin: addprinc -randkey host/client.example.com @ EXAMPLE.COM
> kadmin: ktadd -k ~/client.keytab host/client.example.com @ EXAMPLE.COM
> I am guessing that "kadmin: ktadd -k ~/client.keytab host/client.example.com@
> EXAMPLE.COM" is the equivalent of "samba-tool domain exportkeytab
> ~/client.keytab --principal=host/client.example.com" but what is the
> equivalent of "kadmin: addprinc -randkey host/client.example.com @
> EXAMPLE.COM" under samba4 ???

If the client doesn't wish to have any Samba integration it would be
adding a user, adding an spn, setting a random password and then using
the exportkeytab command you mentioned.

However, joining the machine using Samba would be more likely what you
want, ie run 'net ads join' on the client, and look into the keytab
options in the smb.conf for how to have Samba maintain a system keytab
for your other services. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list