[Samba] Exporting keytab for SPN failure

Rowland Penny rpenny at samba.org
Wed Sep 14 15:54:36 UTC 2016 

On Wed, 14 Sep 2016 10:30:03 -0500
Michael A Weber <mweber.subscriptions01 at gmail.com> wrote:

> 
> > On Sep 14, 2016, at 1:38 AM, Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> > 
> > On Tue, 13 Sep 2016 22:53:44 -0500
> > Michael A Weber via samba <samba at lists.samba.org> wrote:
> > 
> >> Experts—
> >> 
> >> I’m attempting to export a keytab for a created SPN on the AD DC
> >> machine but I’m receiving an error:
> >> 
> >> ERROR(runtime): uncaught exception - Key table entry not found
> >>  File
> >> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> >> line 175, in _run return self.run(*args, **kwargs) File
> >> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
> >> 129, in run net.export_keytab(keytab=keytab, principal=principal)
> >> 
> >> Steps taken to recreate:
> >> 
> >> 1.  Create a user for the SPN
> >> 
> >> samba-tool user create web-intranet-macmini
> >> <provided password when prompted>
> >> 
> >> 2.  Add the SPN:
> >> 
> >> samba-tool spn add
> >> HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
> >> web-intranet-macmini <succeeded without error>
> >> 
> >> 3.  Export the keytab file to be used on the intranet host:
> >> 
> >> samba-tool domain exportkeytab ~/intranet-macmini.keytab
> >> —principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
> >> 
> >> <Get the error listed above>
> >> 
> >> Now, I tried adding another SPN without the realm, and exporting
> >> without the realm, and I did not receive an error.
> >> 
> >> I then deleted both SPNs via samba-tool spn delete, recreated the
> >> SPN using the realm just to make sure I’m not completely crazy and
> >> didn’t fat finger anything (and to make sure my contact lenses are
> >> making me see what I think I’m seeing) and I still get the error.
> >> 
> >> When I do samba-tool spn list web-intranet-macmini, I see the
> >> SPN(s) associated with that user, and they are correct.
> >> 
> >> Is there something glaringly obvious I’m missing?
> >> 
> >> Mike
> > 
> > Yes, the principal isn't the SPN when you try to export the keytab,
> > it is the user.
> > 
> > Rowland
> > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> Rowland—
> 
> That appears to have worked.
> 
> Should the wiki page be modified/updated to reflect this?  Also, I
> think some of the wording is confusing on the wiki page, specifically
> “this should then produce the keytab for the principAL ‘that you have
> exported’…”
> 
> I’ve already exported a principAL?  When?  Or, am I currently
> exporting a principal with the samba-tool right then and there?
> 
> https://wiki.samba.org/index.php/Generating_Keytabs
> <https://wiki.samba.org/index.php/Generating_Keytabs>
> 
> Mike
> 

I have updated the wiki, corrected the obvious errors and spelling.

Rowland

More information about the samba mailing list