[Samba] Obtaining TGT using service principal name

Bobby Kirchgessner asuranzala at gmail.com
Mon Feb 3 11:27:57 MST 2014

I have been trying to setup Samba4 as a DC using kerberos for
authentication. I have successfully provisioned the domain, and was able to
join my domain using my windows machine as well as kinit to obtain a ticket
for my administrator user from my servers.

I have hit a wall trying to setup a server to authenticate a SPN using a
keytab. I can join the domain and kinit as my administrator user, using
"net ads join -Uadministrator" and "kinit administrator" but I cannot get a
TGT using the SPN with kinit.

I used the following commands to create a user and add an SPN to it:
samba-tool user create cifs-server
samba-tool spn add cifs/server.my.domain.local
samba-tool domain exportkeytab /root/server0.keytab

ktutil succesfully lists the entry for the cifs/server.my.domain.local

After moving the keytab (and renaming it) to server.my.domain.local, I try
to gain a TGT using the command: kinit -k -t /etc/krb5.keytab

This returns an "Client (cifs/server.my.domain.local) unknown." error. If I
export the principal for the server$ or cifs-server, I can successfully
authenticate and obtain an entry in klist.

Is there something I am missing to obtain a TGT using a keytab?

Thank you for your help.

More information about the samba mailing list