[Samba] Trouble adding a service principal to keytab

L.P.H. van Belle belle at bazuin.nl
Fri Feb 26 07:18:11 UTC 2016 

Same question as a few days ago... 
Have a look here :  http://www.spinics.net/lists/samba/msg132273.html 

Greetz, 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Norm Green
> Verzonden: donderdag 25 februari 2016 22:43
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Trouble adding a service principal to keytab
> 
> Hi,
> 
> I am new to samba and Kerberos so please be gentle!
> 
> I have built a samba AD DC (v4.3.5) on Centos Linux from source and am
> trying to add a service principal and generate a keytab containing the
> principal.  However the principal entry does not appear in the keytab.
> 
> Here's what I did:
> 
> [root at bones ~]# samba-tool spn add
> GEMSTONE64/bunk.gemtalksystems.com at SAMBATEST.GEMTALKSYSTEMS.COM normg
> [root at bones ~]# samba-tool spn list normg
> normg
> User CN=normg,CN=Users,DC=sambatest,DC=gemtalksystems,DC=com has the
> following servicePrincipalName:
>   GEMSTONE64/bunk.gemtalksystems.com at SAMBATEST.GEMTALKSYSTEMS.COM
> 
> Ok, so it appears to be there under user normg.  Now if I export the
> entire keytab:
> 
> [root at bones ~]# samba-tool domain exportkeytab samba.keytab
> [root at bones ~]# klist -k samba.keytab
> Keytab name: FILE:samba.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>     1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 BONES$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 WIN7VM-TYCHE$@SAMBATEST.GEMTALKSYSTEMS.COM
>     1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 Administrator at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 krbtgt at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
>     1 normg at SAMBATEST.GEMTALKSYSTEMS.COM
> 
> So the GEMSTONE64 principal is NOT in the keytab!  And requesting that
> principal for the keytab fails:
> 
> [root at bones ~]# samba-tool domain exportkeytab s
> --
> principal=GEMSTONE64/bunk.gemtalksystems.com at SAMBATEST.GEMTALKSYSTEMS.COM
> ERROR(runtime): uncaught exception - Key table entry not found
>    File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> line 117, in run
>      net.export_keytab(keytab=keytab, principal=principal)
> 
> Removing the realm from the request fails in the same way.
> 
> If I was using Kerberos without samba, I would just do:
> 
> kadmin -q "addprinc -randkey GEMSTONE64/bunk.gemtalksystems.com"
> kadmin -q "xst -norandkey -k my.keytab GEMSTONE64/bunk.gemtalksystems.com"
> 
> but I know kadmin is a no-no under samba.
> 
> How can I get a keytab which contains the service principal?
> 
> Norm Green
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list