[Samba] Exporting keytab for SPN failure

Achim Gottinger achim at ag-web.biz
Wed Sep 14 16:17:39 UTC 2016



Am 14.09.2016 um 17:54 schrieb Rowland Penny via samba:
> On Wed, 14 Sep 2016 10:30:03 -0500
> Michael A Weber <mweber.subscriptions01 at gmail.com> wrote:
>
>>> On Sep 14, 2016, at 1:38 AM, Rowland Penny via samba
>>> <samba at lists.samba.org> wrote:
>>>
>>> On Tue, 13 Sep 2016 22:53:44 -0500
>>> Michael A Weber via samba <samba at lists.samba.org> wrote:
>>>
>>>> Experts—
>>>>
>>>> I’m attempting to export a keytab for a created SPN on the AD DC
>>>> machine but I’m receiving an error:
>>>>
>>>> ERROR(runtime): uncaught exception - Key table entry not found
>>>>   File
>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>>>> line 175, in _run return self.run(*args, **kwargs) File
>>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
>>>> 129, in run net.export_keytab(keytab=keytab, principal=principal)
>>>>
>>>> Steps taken to recreate:
>>>>
>>>> 1.  Create a user for the SPN
>>>>
>>>> samba-tool user create web-intranet-macmini
>>>> <provided password when prompted>
>>>>
>>>> 2.  Add the SPN:
>>>>
>>>> samba-tool spn add
>>>> HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
>>>> web-intranet-macmini <succeeded without error>
>>>>
>>>> 3.  Export the keytab file to be used on the intranet host:
>>>>
>>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab
>>>> —principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
>>>>
>>>> <Get the error listed above>
>>>>
>>>> Now, I tried adding another SPN without the realm, and exporting
>>>> without the realm, and I did not receive an error.
>>>>
>>>> I then deleted both SPNs via samba-tool spn delete, recreated the
>>>> SPN using the realm just to make sure I’m not completely crazy and
>>>> didn’t fat finger anything (and to make sure my contact lenses are
>>>> making me see what I think I’m seeing) and I still get the error.
>>>>
>>>> When I do samba-tool spn list web-intranet-macmini, I see the
>>>> SPN(s) associated with that user, and they are correct.
>>>>
>>>> Is there something glaringly obvious I’m missing?
>>>>
>>>> Mike
>>> Yes, the principal isn't the SPN when you try to export the keytab,
>>> it is the user.
>>>
>>> Rowland
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> Rowland—
>>
>> That appears to have worked.
>>
>> Should the wiki page be modified/updated to reflect this?  Also, I
>> think some of the wording is confusing on the wiki page, specifically
>> “this should then produce the keytab for the principAL ‘that you have
>> exported’…”
>>
>> I’ve already exported a principAL?  When?  Or, am I currently
>> exporting a principal with the samba-tool right then and there?
>>
>> https://wiki.samba.org/index.php/Generating_Keytabs
>> <https://wiki.samba.org/index.php/Generating_Keytabs>
>>
>> Mike
>>
> I have updated the wiki, corrected the obvious errors and spelling.
>
> Rowland
>
>
Hi Rowland,

No offence but it is indeed possible to use the SPN as principal name. 
Try it it works. There is no need to use the realm part during spn add. 
Afterwards the SPN with and without the realm can be used with domain 
exportkeytab as principal.

achim~



More information about the samba mailing list