[Samba] Trouble adding a service principal to keytab

Norm Green norm.green at gemtalksystems.com
Thu Feb 25 21:42:57 UTC 2016 

Hi,

I am new to samba and Kerberos so please be gentle!

I have built a samba AD DC (v4.3.5) on Centos Linux from source and am 
trying to add a service principal and generate a keytab containing the 
principal.  However the principal entry does not appear in the keytab.

Here's what I did:

[root at bones ~]# samba-tool spn add 
GEMSTONE64/bunk.gemtalksystems.com at SAMBATEST.GEMTALKSYSTEMS.COM normg
[root at bones ~]# samba-tool spn list normg
normg
User CN=normg,CN=Users,DC=sambatest,DC=gemtalksystems,DC=com has the 
following servicePrincipalName:
  GEMSTONE64/bunk.gemtalksystems.com at SAMBATEST.GEMTALKSYSTEMS.COM

Ok, so it appears to be there under user normg.  Now if I export the 
entire keytab:

[root at bones ~]# samba-tool domain exportkeytab samba.keytab
[root at bones ~]# klist -k samba.keytab
Keytab name: FILE:samba.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
    1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
    1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
    1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
    1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
    1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
    1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
    1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
    1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
    1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
    1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
    1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
    1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
    1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
    1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
    1 normg at SAMBATEST.GEMTALKSYSTEMS.COM

So the GEMSTONE64 principal is NOT in the keytab!  And requesting that 
principal for the keytab fails:

[root at bones ~]# samba-tool domain exportkeytab s 
--principal=GEMSTONE64/bunk.gemtalksystems.com at SAMBATEST.GEMTALKSYSTEMS.COM
ERROR(runtime): uncaught exception - Key table entry not found
   File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", 
line 117, in run
     net.export_keytab(keytab=keytab, principal=principal)

Removing the realm from the request fails in the same way.

If I was using Kerberos without samba, I would just do:

kadmin -q "addprinc -randkey GEMSTONE64/bunk.gemtalksystems.com"
kadmin -q "xst -norandkey -k my.keytab GEMSTONE64/bunk.gemtalksystems.com"

but I know kadmin is a no-no under samba.

How can I get a keytab which contains the service principal?

Norm Green

More information about the samba mailing list