[Samba] generate keytab

Andrew Bartlett abartlet at samba.org
Thu Jan 24 20:43:25 MST 2013

On Thu, 2013-01-24 at 18:33 +0200, Hleb Valoshka wrote:
> Please! Don't write into private mail. Thanks.
> > $ Samba-tool user create http-user --random-password
> > $ Samba-tool spn add HTTP/www.nisled.org  http-user
> Okay, you've got user http-user with principals http-user at NISLED.ORG
> and HTTP/www.nisled.org at NISLED.ORG.
> > $ Samba-tool domain exportkeytab --principal=HTTP/www.nisled.org
> > http.keytab
> Here you export _only_ HTTP/www.nisled.org at NISLED.ORG.
> > $ kinit -k -t http.keytab http-user
> > kinit: Key table entry not found while getting initial credentials
> Of cause, because you didn't export it.
> > Can anyone help me?
> Export http-user at NISLED.ORG too.

Exactly.  While the Samba KDC is smart, and knows these are the same
user, the keytab and krb5 client tools are dumb (very), they work on
exact string matches, so you have export out exactly the name you want
to kinit as, or kinit as HTTP/www.nisled.org at NISLED.ORG.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list