[Samba] Exporting keytab for SPN failure
Rowland Penny
rpenny at samba.org
Wed Sep 14 06:38:20 UTC 2016
On Tue, 13 Sep 2016 22:53:44 -0500
Michael A Weber via samba <samba at lists.samba.org> wrote:
> Experts—
>
> I’m attempting to export a keytab for a created SPN on the AD DC
> machine but I’m receiving an error:
>
> ERROR(runtime): uncaught exception - Key table entry not found
> File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run return self.run(*args, **kwargs)
> File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> line 129, in run net.export_keytab(keytab=keytab, principal=principal)
>
> Steps taken to recreate:
>
> 1. Create a user for the SPN
>
> samba-tool user create web-intranet-macmini
> <provided password when prompted>
>
> 2. Add the SPN:
>
> samba-tool spn add
> HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
> web-intranet-macmini <succeeded without error>
>
> 3. Export the keytab file to be used on the intranet host:
>
> samba-tool domain exportkeytab ~/intranet-macmini.keytab
> —principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
>
> <Get the error listed above>
>
> Now, I tried adding another SPN without the realm, and exporting
> without the realm, and I did not receive an error.
>
> I then deleted both SPNs via samba-tool spn delete, recreated the SPN
> using the realm just to make sure I’m not completely crazy and didn’t
> fat finger anything (and to make sure my contact lenses are making me
> see what I think I’m seeing) and I still get the error.
>
> When I do samba-tool spn list web-intranet-macmini, I see the SPN(s)
> associated with that user, and they are correct.
>
> Is there something glaringly obvious I’m missing?
>
> Mike
Yes, the principal isn't the SPN when you try to export the keytab, it
is the user.
Rowland
More information about the samba
mailing list