[Samba] how to run ktpass with a Samba AD DC?

Jeff Sadowski jeff.sadowski at gmail.com
Fri Jan 20 19:57:41 UTC 2017

I was trying to get authentication via kerberos working but I'm having
trouble trying to run ktpass as in step 6 here


ktpass -princ HTTP/contoso.com at CONTOSO.COM -mapuser
CONTOSO\<USERNAME> -crypto all -ptype KRB5_NT_PRINCIPAL -pass
<PASSWORD> -out webpage.HTTP.keytab

I'm not sure of the syntax of even the microsoft command. In step 5 it
looked like they created a user apache but I don't see that in the command
at all.

even if I was able to run it I don't know what arguments to put in.

I saw other sites that suggest using ktutil instead. I ran

ktutil:  addent -password -p apache@<mydomain> -k 1 -e RC4-HMAC
Password for apache@<mydomain>:
ktutil:  wkt /etc/krb5.keytab
ktutil:  q

as one of the sites suggested and

kinit apache@<mydomain>

worked with the password

kinit apache@<mydomain> -k -t /etc/krb5.keytab

worked without a password.

I did not see a "Delegation" tab when I open the "AD Users and Computers"
in my windows 10 pro

This document seems dated as I run into other areas of trouble.

I noticed in my apache log

PHP Notice:  Undefined index: AUTH_TYPE
PHP Notice:  Undefined index: REMOTE_USER

More information about the samba mailing list