[Samba] Problem with keytab: "Client not found in Kerberos database"

Brian Candler b.candler at pobox.com
Wed Dec 21 15:39:59 UTC 2016

On 21/12/2016 00:54, Achim Gottinger wrote:
> Am 20.12.2016 um 14:50 schrieb Brian Candler via samba:
>> (2) Can "net ads keytab create" be told to extract just a single 
>> named principal? That would simplify things. But I can't see how to.
>> As usual... clues gratefully received.
> samba-tool domain exportkeytab [keytabfile] --principal=[SPN or UPN]
> In your case
> samba-tool domain exportkeytab /etc/krb5.keytab --principal=WRN-RADTEST$ 

Thank you, that looks promising.

Am I supposed to be able to run this on the host itself? Because if I 
try, I get an error:

root at wrn-radtest:~# samba-tool domain exportkeytab /etc/misc.keytab 
Searching for dsServiceName in rootDSE failed: NULL Base DN invalid for 
a base search
Failed to find our own NTDS Settings DN in the ldb!
Failed to find our own NTDS Settings objectGUID in the ldb!
samba_kdc_setup_db_ctx: Cannot determine if we are an RODC in KDC 
backend: operations error at ../source4/dsdb/common/util.c:3385
ERROR(runtime): uncaught exception - Invalid argument
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 
117, in run
     net.export_keytab(keytab=keytab, principal=principal)

Adding '-P' option (to authenticate using machine credentials) doesn't 
make any difference.

But it *does* work on the domain controller itself:

root at wrn-dc1:~# samba-tool domain exportkeytab /etc/misc.keytab 
Export one principal to /etc/misc.keytab
root at wrn-dc1:~# ktutil
ktutil:  rkt /etc/misc.keytab
ktutil:  l
slot KVNO Principal
---- ---- 
    1    2           WRN-RADTEST$@AD.EXAMPLE.NET
    2    2           WRN-RADTEST$@AD.EXAMPLE.NET
    3    2           WRN-RADTEST$@AD.EXAMPLE.NET
    4    2           WRN-RADTEST$@AD.EXAMPLE.NET
    5    2           WRN-RADTEST$@AD.EXAMPLE.NET

Unfortunately, doing it that way I would have to copy the keytab 
manually (and securely) to where it's needed.

Thanks again,


More information about the samba mailing list