[Samba] samba-tool domain exportkeytab fails silently

Kees van Vloten keesvanvloten at gmail.com
Sun Jul 4 20:53:24 UTC 2021 

Hi Samba-team,

I am using samba 4.14 from Louis' repo and Debian Buster.

I have created some service accounts for apache with a SPN on each.
When I do:

samba-tool domain exportkeytab 
--principal=HTTP/host1.example.com at EXAMPLE.COM /path/host1_apache.keytab

It creates the keytab with the principal.
When I do:

samba-tool domain exportkeytab 
--principal=HTTP/host2.example.com at EXAMPLE.COM /path/host2_apache.keytab

It does not create any file and returns with rc=0

Both principals are created on a dedicated service (user) account (i.e. 
not on the computer account) with:

samba-tool spn add HTTP/host1.example.com at EXAMPLE.COM svc_host1_apache
samba-tool spn add HTTP/host2.example.com at EXAMPLE.COM svc_host2_apache

I ran the exportkeytab command with '-d 8' and then the difference in 
behaviour is visible:

samba-tool domain exportkeytab -d 8 
--principal=HTTP/host1.example.com at EXAMPLE.COM /path/host1_apache.keytab

...

GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
schema_fsmo_init: we are master[yes] updates allowed[no]
gendb_search_v: DC=example,DC=com NULL -> 1
gendb_search_v: DC=example,DC=com NULL -> 1
Export one principal to /path/host1_apache.keytab
gendb_search_v: DC=example,DC=com NULL -> 1
sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0012
../../lib/krb5_wrap/krb5_samba.c:1754: adding keytab entry for 
(HTTP/host1.example.com at EXAMPLE.COM) with encryption type (18) and 
version (2)
sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0017
../../lib/krb5_wrap/krb5_samba.c:1512: Will try to delete old keytab entries
../../lib/krb5_wrap/krb5_samba.c:1592: Saving entry with kvno [2] 
enctype [18] for principal: HTTP/host1.example.com at EXAMPLE.COM.
../../lib/krb5_wrap/krb5_samba.c:1754: adding keytab entry for 
(HTTP/host1.example.com at EXAMPLE.COM) with encryption type (23) and 
version (2)


samba-tool domain exportkeytab -d 8 
--principal=HTTP/host2.example.com at EXAMPLE.COM /path/host2_apache.keytab

...

GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
schema_fsmo_init: we are master[yes] updates allowed[no]
gendb_search_v: DC=example,DC=com NULL -> 1
gendb_search_v: DC=example,DC=com NULL -> 1
Export one principal to /path/host2_apache.keytab
gendb_search_v: DC=example,DC=com NULL -> 1

Both hosts have a computer-account. But since this is a principal on a 
user account, I would expect that to be irrelevant.
However the only difference I can come up with to explain this behaviour 
is that host1 has actually done a domain-join while host2 did not.

This leaves me with the questions:
- Why doesn't  exportkeytab display any error nor returns a rc != 0 when 
it fails?
- Why is exporttab failing in the first place?
- Apache has its own service (user) account and does not need the 
domain-join to authenticate users to its web-pages, or does it?

- Kees

More information about the samba mailing list