[Samba] Cannot create keytab for Apache Kerberos auth: Client SPN_RECORD not found in Kerberos database while getting initial credentials

Lorenzo Milesi lorenzo.milesi at yetopen.com
Fri Jul 16 14:13:31 UTC 2021

I'm trying to configure nginx (or apache) with kerberos authentication but I'm unable to generate an usable keytab file. 


# samba-tool domain info 127.1 
Forest : ad.internal.contoso.com 
Domain : ad.internal.contoso.com 
Netbios domain : MYAD 
DC name : dc1.ad.internal.contoso.com 
DC netbios name : DC1 
Server site : Default-First-Site-Name 
Client site : Default-First-Site-Name 
# samba -V 
Version 4.14.6-Debian 
# cat /etc/krb5.conf 
default_realm = AD.INTERNAL.CONTOSO.COM 
dns_lookup_kdc = true 
dns_lookup_realm = false 

Following [1] and other guides I ended up with the following commands: 

# samba-tool user create --random-password webauth 
# samba-tool user setexpiry webauth --noexpiry 
# samba-tool spn add HTTP/test2021.domain.com webauth 
# samba-tool spn add HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM webauth 
# samba-tool spn list webauth 
User CN=webauth,CN=Users,DC=ad,DC=internal,DC=contoso,DC=com has the following servicePrincipalName: 
HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM 

I didn't setup DNS because test2021.domain.com is a public host and has A and PTR records. 

Then I add cyphers with: 
# net ads enctypes set webauth 
'webauth' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f) 
[X] 0x00000001 DES-CBC-CRC 
[X] 0x00000002 DES-CBC-MD5 
[X] 0x00000004 RC4-HMAC 
[X] 0x00000008 AES128-CTS-HMAC-SHA1-96 
[X] 0x00000010 AES256-CTS-HMAC-SHA1-96 

# samba-tool domain exportkeytab /tmp/abc.keyttab --principal=HTTP/test2021.domain.com 
(executing the command adding the Kerberos realm suffix produces the same keytab file, and same result below) 

# klist -kte /tmp/abc.keyttab 
Keytab name: FILE:/tmp/abc.keyttab 
KVNO Timestamp Principal 
---- ------------------- ------------------------------------------------------ 
2 07/16/2021 15:01:28 HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM (arcfour-hmac) 
2 07/16/2021 15:01:28 HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM (aes256-cts-hmac-sha1-96) 
2 07/16/2021 15:01:28 HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM (aes128-cts-hmac-sha1-96) 

Without even moving the keytab to the webserver, if I try to use it locally on the DC I get: 

# kinit -5 -V -k -t /tmp/abc.keyttab HTTP/test2021.domain.com 
Using default cache: /tmp/krb5cc_0 
Using principal: HTTP/test2021.domain.com at AD.INTERNAL.CONTOSO.COM 
Using keytab: /tmp/abc.keyttab 
kinit: Client 'HTTP/test2021.ufficyo.com at AD.INTERNAL.CONTOSO.COM' not found in Kerberos database while getting initial credentials 

Same result on the webserver. 

Other guides suggest to add SPN also for host/test2021.domain.com and merge both keys into a single keytab using ktutil, I tried but I got the same result. 
Most of the guides I found generate the SPN from a Windows machine, I fear I'm doing something wrong using the corresponding commands on Linux. 

What am I doing wrong? 

[1] https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Directory 

Lorenzo Milesi - lorenzo.milesi at yetopen.com 

YetOpen - https://www.yetopen.com/

Via Salerno 18 - 23900 Lecco - ITALY -      | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com  | Phone +1 919-817-8106 - info.us at yetopen.com

Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary

-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.

Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.

More information about the samba mailing list