[Samba] Export keytab for SPN

Michal Sládek michal at sladkovi.eu
Thu Aug 9 04:56:40 UTC 2018

Hi all,

It was necessary to add another spn without Kerberos realm:

samba-tool spn add HTTP/srv1.ad.brotel.cz svc_confluence_sso

and then the export worked:
samba-tool domain exportkeytab  srv1.ad.brotel.cz.keytab  --principal=HTTP/
srv1.ad.brotel.cz at AD.BROTEL.CZ

Here is the information source that pointed me to the right direction:

Can somebody explain me, why the original SPN created by command:
samba-tool spn add HTTP/srv1.ad.brotel.cz at AD.BROTEL.CZ svc_confluence_sso
wasn't enough?

Best regards


2018-08-08 8:40 GMT+02:00 Michal Sládek <michal at sladkovi.eu>:

> Hello,
> I am trying to export keytab by following this guide:
> https://wiki.samba.org/index.php/Generating_Keytabs
> OS: CentOS 7.5
> Samba: samba-dc-4.7.6-0.el7.centos.x86_64 (from Tranquil repo)
> Everything seems to work, but keytab is not exported (keytab file is not
> created).
> [root at ads1 /]# net ads enctypes list svc_confluence_sso
> 'svc_confluence_sso' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
> [X] 0x00000001 DES-CBC-CRC
> [X] 0x00000002 DES-CBC-MD5
> [X] 0x00000004 RC4-HMAC
> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
> [root at ads1 /]# samba-tool spn list svc_confluence_sso
> svc_confluence_sso
> User CN=SSO Confluence,CN=Users,DC=ad,DC=brotel,DC=cz has the following
> servicePrincipalName:
>          HTTP/srv1.ad.brotel.cz at AD.BROTEL.CZ
> [root at ads1 /]# samba-tool domain exportkeytab test.keytab
> --principal=HTTP/srv1.ad.brotel.cz at AD.BROTEL.CZ
> Export one principal to test.keytab
> [root at ads1 /]# ls *.keytab
> ls: cannot access *.keytab: No such file or directory
> Exporting keytab for user svc_confluence_sso works.
> Do you have any suggestions?
> Best regards
> Michal

More information about the samba mailing list