[Samba] generate keytab
Andrew Bartlett
abartlet at samba.org
Thu Jan 24 20:43:25 MST 2013
On Thu, 2013-01-24 at 18:33 +0200, Hleb Valoshka wrote:
> Please! Don't write into private mail. Thanks.
>
> > $ Samba-tool user create http-user --random-password
> > $ Samba-tool spn add HTTP/www.nisled.org http-user
>
> Okay, you've got user http-user with principals http-user at NISLED.ORG
> and HTTP/www.nisled.org at NISLED.ORG.
>
> > $ Samba-tool domain exportkeytab --principal=HTTP/www.nisled.org
> > http.keytab
>
> Here you export _only_ HTTP/www.nisled.org at NISLED.ORG.
>
> > $ kinit -k -t http.keytab http-user
> > kinit: Key table entry not found while getting initial credentials
>
> Of cause, because you didn't export it.
>
> > Can anyone help me?
>
> Export http-user at NISLED.ORG too.
Exactly. While the Samba KDC is smart, and knows these are the same
user, the keytab and krb5 client tools are dumb (very), they work on
exact string matches, so you have export out exactly the name you want
to kinit as, or kinit as HTTP/www.nisled.org at NISLED.ORG.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list