[Samba] Where is krb5.keytab or equivalent?

Rowland penny rpenny at samba.org
Mon Jun 27 18:57:39 UTC 2016 

On 27/06/16 19:47, Mark Foley wrote:
>> ... you don't get the /etc/krb5.keytab by default on a DC, you will need
>> to create it:
>>
>> samba-tool domain exportkeytab /etc/krb5.keytab
> Excellent! Thank you. I've done that now, but I have more issues more appropriate to a reply to mathias' message following.
>
> --Mark
>
> -----Original Message-----
>> To: samba at lists.samba.org
>> From: Rowland penny <rpenny at samba.org>
>> Date: Mon, 27 Jun 2016 08:09:47 +0100
>> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>>
>>> I am running Samba 4.1.23 as an AD/DC. It has been running file for more than 1 1/2 years as a
>>> AD/DC for mostly Windows workstations.
>>>
>>> I'm trying to setup Dovecot with gssapi authentication. The config needs the location of the service
>>> keys located in the keytab file. The default location it looks for is:
>>>
>>> /etc/krb5.keytab
>>>
>>> There is no such file there, nor is there a so-named file on the AD/DC at all. I do find:
>>>
>>> /etc/samba/private/secrets.keytab
>>> /etc/samba/private/dns.keytab
>>>
>>> Is one of these what I can use for the Dovecot required config?
>>>
>>> THX --Mark
>>>
>> Hi, you don't get the /etc/krb5.keytab by default on a DC, you will need
>> to create it:
>>
>> samba-tool domain exportkeytab /etc/krb5.keytab
>>
>> Rowland
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

The easiest way to find out what is in your keytab is with ktutil:

root at dc1:~# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
---- ---- 
---------------------------------------------------------------------
    1    1                  DC1$@SAMDOM.EXAMPLE.COM
    2    1                  DC1$@SAMDOM.EXAMPLE.COM
    3    1                  DC1$@SAMDOM.EXAMPLE.COM
    4    1                  DC1$@SAMDOM.EXAMPLE.COM
    5    1                  DC1$@SAMDOM.EXAMPLE.COM
    6    1                  DC2$@SAMDOM.EXAMPLE.COM
    7    1                  DC2$@SAMDOM.EXAMPLE.COM
    8    1                  DC2$@SAMDOM.EXAMPLE.COM
    9    1                  DC2$@SAMDOM.EXAMPLE.COM
   10    1                  DC2$@SAMDOM.EXAMPLE.COM
....................................
............................
......................
ktutil:  q
root at dc1:~#

You can also add to the keytab, is this what you need to do?

Rowland

More information about the samba mailing list