[Samba] Where is krb5.keytab or equivalent?

Mark Foley mfoley at ohprs.org
Mon Jun 27 18:59:43 UTC 2016


On 2016-06-27 11:18 GMT+02:00 mathias dufresne wrote:

> You can check which principal is in your keytab using klist: klist -k or
> klist -ke /path/to/keytab

Mathias, thank you. I've created the /etc/krb5.keytab per Rowland's instructions. And, per
older instruction from when I first installed Samba4 2 years ago I've done:

ln -s /etc/samba/private/krb5.conf /etc/krb5.conf

The contents of which are:

[libdefaults]
    default_realm = HPRS.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true

I don't know if I need that file or not, but the Dovecot people say I do. I now have those
files (krb5.keytab and krb5.conf) in /etc.

Now, the problem is I cannot do your suggested `klist` command, nor the `kinit` as described in
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Configure_Kerberos

I don't seem to have these commands. Do these come with the Samba4 installation or are they
supposed to already be on the system, or to be downloaded separately?

--Mark

-----Original Message-----
> From: mathias dufresne <infractory at gmail.com>
> Date: Mon, 27 Jun 2016 11:18:39 +0200
> Cc: samba <samba at lists.samba.org>
> Subject: Re: [Samba] Where is krb5.keytab or equivalent?
>
> You can specify which principal you want in your keytab with samba-tool,
> check the manual.
> You can check which principal is in your keytab using klist: klist -k or
> klist -ke /path/to/keytab
>
>
> > On 27/06/16 04:27, Mark Foley wrote:
> >
> >> I am running Samba 4.1.23 as an AD/DC. It has been running file for more
> >> than 1 1/2 years as a
> >> AD/DC for mostly Windows workstations.
> >>
> >> I'm trying to setup Dovecot with gssapi authentication. The config needs
> >> the location of the service
> >> keys located in the keytab file. The default location it looks for is:
> >>
> >> /etc/krb5.keytab
> >>
> >> There is no such file there, nor is there a so-named file on the AD/DC at
> >> all. I do find:
> >>
> >> /etc/samba/private/secrets.keytab
> >> /etc/samba/private/dns.keytab
> >>
> >> Is one of these what I can use for the Dovecot required config?
> >>
> >> THX --Mark
> >>
> >>
> > Hi, you don't get the /etc/krb5.keytab by default on a DC, you will need
> > to create it:
> >
> > samba-tool domain exportkeytab /etc/krb5.keytab
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list