[Samba] Exporting keytab for SPN failure
Rowland Penny
rpenny at samba.org
Wed Sep 14 16:53:45 UTC 2016
On Wed, 14 Sep 2016 18:17:39 +0200
Achim Gottinger via samba <samba at lists.samba.org> wrote:
>
>
> Am 14.09.2016 um 17:54 schrieb Rowland Penny via samba:
> > On Wed, 14 Sep 2016 10:30:03 -0500
> > Michael A Weber <mweber.subscriptions01 at gmail.com> wrote:
> >
> >>> On Sep 14, 2016, at 1:38 AM, Rowland Penny via samba
> >>> <samba at lists.samba.org> wrote:
> >>>
> >>> On Tue, 13 Sep 2016 22:53:44 -0500
> >>> Michael A Weber via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> Experts—
> >>>>
> >>>> I’m attempting to export a keytab for a created SPN on the AD DC
> >>>> machine but I’m receiving an error:
> >>>>
> >>>> ERROR(runtime): uncaught exception - Key table entry not found
> >>>> File
> >>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> >>>> line 175, in _run return self.run(*args, **kwargs) File
> >>>> "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
> >>>> 129, in run net.export_keytab(keytab=keytab, principal=principal)
> >>>>
> >>>> Steps taken to recreate:
> >>>>
> >>>> 1. Create a user for the SPN
> >>>>
> >>>> samba-tool user create web-intranet-macmini
> >>>> <provided password when prompted>
> >>>>
> >>>> 2. Add the SPN:
> >>>>
> >>>> samba-tool spn add
> >>>> HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
> >>>> web-intranet-macmini <succeeded without error>
> >>>>
> >>>> 3. Export the keytab file to be used on the intranet host:
> >>>>
> >>>> samba-tool domain exportkeytab ~/intranet-macmini.keytab
> >>>> —principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
> >>>>
> >>>> <Get the error listed above>
> >>>>
> >>>> Now, I tried adding another SPN without the realm, and exporting
> >>>> without the realm, and I did not receive an error.
> >>>>
> >>>> I then deleted both SPNs via samba-tool spn delete, recreated the
> >>>> SPN using the realm just to make sure I’m not completely crazy
> >>>> and didn’t fat finger anything (and to make sure my contact
> >>>> lenses are making me see what I think I’m seeing) and I still
> >>>> get the error.
> >>>>
> >>>> When I do samba-tool spn list web-intranet-macmini, I see the
> >>>> SPN(s) associated with that user, and they are correct.
> >>>>
> >>>> Is there something glaringly obvious I’m missing?
> >>>>
> >>>> Mike
> >>> Yes, the principal isn't the SPN when you try to export the
> >>> keytab, it is the user.
> >>>
> >>> Rowland
> >>>
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions: https://lists.samba.org/mailman/options/samba
> >> Rowland—
> >>
> >> That appears to have worked.
> >>
> >> Should the wiki page be modified/updated to reflect this? Also, I
> >> think some of the wording is confusing on the wiki page,
> >> specifically “this should then produce the keytab for the
> >> principAL ‘that you have exported’…”
> >>
> >> I’ve already exported a principAL? When? Or, am I currently
> >> exporting a principal with the samba-tool right then and there?
> >>
> >> https://wiki.samba.org/index.php/Generating_Keytabs
> >> <https://wiki.samba.org/index.php/Generating_Keytabs>
> >>
> >> Mike
> >>
> > I have updated the wiki, corrected the obvious errors and spelling.
> >
> > Rowland
> >
> >
> Hi Rowland,
>
> No offence but it is indeed possible to use the SPN as principal
> name. Try it it works. There is no need to use the realm part during
> spn add. Afterwards the SPN with and without the realm can be used
> with domain exportkeytab as principal.
>
> achim~
>
Well, you learn something new every day, I have always used the
username, but you are quite correct, you can use the spn as a principal.
Ah well, back to editing the wiki.
Rowland
More information about the samba
mailing list