[Samba] Can't kinit SPN - Client not found in Kerberos database while getting initial credentials

Andrew Bartlett abartlet at samba.org
Thu Sep 16 10:13:41 UTC 2021

On Thu, 2021-09-16 at 12:09 +0200, Sam R via samba wrote:
> Hello to all,
> I am trying to set up a GSSAPI connection for postfix smtp with cyrus SASL
> and saslauthd.
> I have two AD samba4 servers.
> I am creating a keytab file for the smtp service but I am stuck.
> To limit the possibilities I test directly the kinit command on the AD
> server, but without success.... Here is the detail of what I do:
> samba-tool user create --random-password postfixuser
> samba-tool user setexpiry --noexpiry postfixuser
> samba-tool spn add smtp/smtp.internaldom.name postfixuser
> samba-tool domain exportkeytab /root/smtp.keytab --principal=smtp/
> smtp.internaldom.name
> kinit -V -k -t /root/smtp.keytab  smtp/smtp.internaldom.name
> Using default cache: /tmp/krb5cc_0
> Using principal:  smtp/smtp.internaldom.name at INTERNALDOM.NAME
> Using keytab: /root/smtp.keytab
> kinit: Client ' smtp/smtp.internaldom.name at INTERNALDOM.NAME ' not found in
> Kerberos database while getting initial credentials
> If anyone has a lead...\

In Samba, and in AD, an SPN in not a UPN.  While in traditional
kerberos a principal is a principal no matter what.

This creates a disconnect in documentation that was written for
traditional Kerberos.  You don't need to do the kinit step to use the
keytab, just configure it in your postfix and it should work.

If you must run the kinit (to feel comfortable the keytab matches),
then you will need to add smtp/smtp.internaldom.name at INTERNALDOM.NAME
(the full principal name) as the userPrincipalName.

I hope this helps,

Andrew Bartlett

> Thanks à lot.
> Samuel

Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba

More information about the samba mailing list