[Samba] generate keytab

Clodonil Trigo clodonil at nisled.org
Mon Jan 28 14:00:29 MST 2013 

Hi,

does not http.keytab.

exported thus:

$samba-tool domain exportkeytab http.keytab --principal=HTTP/
ejbca.nisled.org at NISLED.ORG

ouput line:
# klist -ke http.keytab
Keytab name: WRFILE:http.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 HTTP/ejbca.nisled.org at NISLED.ORG (des-cbc-crc)
   2 HTTP/ejbca.nisled.org at NISLED.ORG (des-cbc-md5)
   2 HTTP/ejbca.nisled.org at NISLED.ORG (arcfour-hmac)

kinit:

# kinit -k -e http.keytab http-ejbca
kinit: Key table entry not found while getting initial credentials

Prof. Msc. Clodonil H. Trigo
www.nisled.org
E-mail: clodonil at nisled.org

Classificação: () Confidencial (X) Interna
As informações contidas nesta mensagem e respectivos anexos são de
interesse exclusivo a quem foram dirigidos, podendo ser confidenciais,
portanto fica proibida sua retenção, distribuição, divulgação, reprodução
ou utilização, sob as penas da lei. Caso tenha recebido esta mensagem por
engano, pedimos a gentileza de informar ao seu autor, eliminando-a de sua
caixa de entrada, registros ou sistema de controle.


2013/1/25 Andrew Bartlett <abartlet at samba.org>

> On Thu, 2013-01-24 at 18:33 +0200, Hleb Valoshka wrote:
> > Please! Don't write into private mail. Thanks.
> >
> > > $ Samba-tool user create http-user --random-password
> > > $ Samba-tool spn add HTTP/www.nisled.org  http-user
> >
> > Okay, you've got user http-user with principals http-user at NISLED.ORG
> > and HTTP/www.nisled.org at NISLED.ORG.
> >
> > > $ Samba-tool domain exportkeytab --principal=HTTP/www.nisled.org
> > > http.keytab
> >
> > Here you export _only_ HTTP/www.nisled.org at NISLED.ORG.
> >
> > > $ kinit -k -t http.keytab http-user
> > > kinit: Key table entry not found while getting initial credentials
> >
> > Of cause, because you didn't export it.
> >
> > > Can anyone help me?
> >
> > Export http-user at NISLED.ORG too.
>
> Exactly.  While the Samba KDC is smart, and knows these are the same
> user, the keytab and krb5 client tools are dumb (very), they work on
> exact string matches, so you have export out exactly the name you want
> to kinit as, or kinit as HTTP/www.nisled.org at NISLED.ORG.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>
>

More information about the samba mailing list