[Samba] Exporting keytab for SPN failure

Michael A Weber mweber.subscriptions01 at gmail.com
Wed Sep 14 15:30:03 UTC 2016


> On Sep 14, 2016, at 1:38 AM, Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> On Tue, 13 Sep 2016 22:53:44 -0500
> Michael A Weber via samba <samba at lists.samba.org> wrote:
> 
>> Experts—
>> 
>> I’m attempting to export a keytab for a created SPN on the AD DC
>> machine but I’m receiving an error:
>> 
>> ERROR(runtime): uncaught exception - Key table entry not found
>>  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>> line 175, in _run return self.run(*args, **kwargs)
>>  File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
>> line 129, in run net.export_keytab(keytab=keytab, principal=principal)
>> 
>> Steps taken to recreate:
>> 
>> 1.  Create a user for the SPN
>> 
>> samba-tool user create web-intranet-macmini
>> <provided password when prompted>
>> 
>> 2.  Add the SPN:
>> 
>> samba-tool spn add
>> HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
>> web-intranet-macmini <succeeded without error>
>> 
>> 3.  Export the keytab file to be used on the intranet host:
>> 
>> samba-tool domain exportkeytab ~/intranet-macmini.keytab
>> —principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
>> 
>> <Get the error listed above>
>> 
>> Now, I tried adding another SPN without the realm, and exporting
>> without the realm, and I did not receive an error.
>> 
>> I then deleted both SPNs via samba-tool spn delete, recreated the SPN
>> using the realm just to make sure I’m not completely crazy and didn’t
>> fat finger anything (and to make sure my contact lenses are making me
>> see what I think I’m seeing) and I still get the error.
>> 
>> When I do samba-tool spn list web-intranet-macmini, I see the SPN(s)
>> associated with that user, and they are correct.
>> 
>> Is there something glaringly obvious I’m missing?
>> 
>> Mike
> 
> Yes, the principal isn't the SPN when you try to export the keytab, it
> is the user.
> 
> Rowland
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Rowland—

That appears to have worked.

Should the wiki page be modified/updated to reflect this?  Also, I think some of the wording is confusing on the wiki page, specifically “this should then produce the keytab for the principAL ‘that you have exported’…”

I’ve already exported a principAL?  When?  Or, am I currently exporting a principal with the samba-tool right then and there?

https://wiki.samba.org/index.php/Generating_Keytabs <https://wiki.samba.org/index.php/Generating_Keytabs>

Mike



More information about the samba mailing list