[Samba] Exporting keytab for SPN failure

[Achim Gottinger]

Am 14.09.2016 um 05:53 schrieb Michael A Weber via samba:
> Experts—
>
> I’m attempting to export a keytab for a created SPN on the AD DC machine but I’m receiving an error:
>
> ERROR(runtime): uncaught exception - Key table entry not found
>    File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 129, in run
>      net.export_keytab(keytab=keytab, principal=principal)
>
> Steps taken to recreate:
>
> 1.  Create a user for the SPN
>
> samba-tool user create web-intranet-macmini
> <provided password when prompted>
>
> 2.  Add the SPN:
>
> samba-tool spn add HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD web-intranet-macmini
> <succeeded without error>
>
> 3.  Export the keytab file to be used on the intranet host:
>
> samba-tool domain exportkeytab ~/intranet-macmini.keytab —principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
>
> <Get the error listed above>
>
> Now, I tried adding another SPN without the realm, and exporting without the realm, and I did not receive an error.
>
> I then deleted both SPNs via samba-tool spn delete, recreated the SPN using the realm just to make sure I’m not completely crazy and didn’t fat finger anything (and to make sure my contact lenses are making me see what I think I’m seeing) and I still get the error.
>
> When I do samba-tool spn list web-intranet-macmini, I see the SPN(s) associated with that user, and they are correct.
>
> Is there something glaringly obvious I’m missing?
>
> Mike
Last time i created an SPN it was not neccessary to add the realm part 
when creating the realm. It should be added automatically adn you can 
verify it with
klist -Kek [your keytabfile]