[Samba] Problem with keytab: "Client not found in Kerberos database"
Brian Candler
b.candler at pobox.com
Wed Dec 21 15:39:59 UTC 2016
On 21/12/2016 00:54, Achim Gottinger wrote:
>
>
> Am 20.12.2016 um 14:50 schrieb Brian Candler via samba:
>> (2) Can "net ads keytab create" be told to extract just a single
>> named principal? That would simplify things. But I can't see how to.
>>
>> As usual... clues gratefully received.
> samba-tool domain exportkeytab [keytabfile] --principal=[SPN or UPN]
>
> In your case
>
> samba-tool domain exportkeytab /etc/krb5.keytab --principal=WRN-RADTEST$
Thank you, that looks promising.
Am I supposed to be able to run this on the host itself? Because if I
try, I get an error:
root at wrn-radtest:~# samba-tool domain exportkeytab /etc/misc.keytab
--principal='WRN-RADTEST$'
Searching for dsServiceName in rootDSE failed: NULL Base DN invalid for
a base search
Failed to find our own NTDS Settings DN in the ldb!
Failed to find our own NTDS Settings objectGUID in the ldb!
samba_kdc_setup_db_ctx: Cannot determine if we are an RODC in KDC
backend: operations error at ../source4/dsdb/common/util.c:3385
ERROR(runtime): uncaught exception - Invalid argument
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
117, in run
net.export_keytab(keytab=keytab, principal=principal)
Adding '-P' option (to authenticate using machine credentials) doesn't
make any difference.
But it *does* work on the domain controller itself:
root at wrn-dc1:~# samba-tool domain exportkeytab /etc/misc.keytab
--principal='WRN-RADTEST$'
Export one principal to /etc/misc.keytab
root at wrn-dc1:~# ktutil
ktutil: rkt /etc/misc.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 2 WRN-RADTEST$@AD.EXAMPLE.NET
2 2 WRN-RADTEST$@AD.EXAMPLE.NET
3 2 WRN-RADTEST$@AD.EXAMPLE.NET
4 2 WRN-RADTEST$@AD.EXAMPLE.NET
5 2 WRN-RADTEST$@AD.EXAMPLE.NET
ktutil:
Unfortunately, doing it that way I would have to copy the keytab
manually (and securely) to where it's needed.
Thanks again,
Brian.
More information about the samba
mailing list