[Samba] Kerberos Principal

L.P.H. van Belle belle at bazuin.nl
Tue Feb 23 07:35:55 UTC 2016

You mean something like : 

Create a user for a service.
samba-tool user create squid-proxy --description="Unprivileged user for SQUID-Proxy Services" --random-password

Disable password expiry. 
samba-tool user setexpiry squid-proxy --noexpiry

setting HTTP SPN on the proxy user (proxy1)
samba-tool spn add HTTP/proxy1.internal.domain.tld squid-proxy
samba-tool spn add HTTP/proxy1.internal.domain.tld at KERB_REALM squid-proxy

And export the keytab. 
samba-tool domain exportkeytab --principal=HTTP/proxy1.internal.domain.tld /home/proxy1.keytab


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens David Thompson
> Verzonden: maandag 22 februari 2016 18:59
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Kerberos Principal
> Hi all,
> I’m looking to add in a kerberos principal on my server for the AD domain.
> I see there are ways to do this for user(s), but I don’t see how to add a
> principal for hosts.
> In general, I’ld like to add something like the following to me 4.3.4
> Domain:
> ktpass -princ afpserver/fqdn at REALM -mapuser mapuser at domain +rndPass -out
> afpserver.keytab
> This is for a netatalk server. I’ve never had to add a principal to my
> samba, so I’d just like come clarification as this is for a host and not a
> user.
> what would the 'samba-tool spn add …’ syntax look like in order to add in
> a host principal
> Thanks,
> _ _
> DT
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list