[Samba] Testing keytab

Robert Marcano robert at marcanoonline.com
Mon Apr 18 19:49:19 UTC 2022


Greetings, What am I missing when testing a keytab that was exported 
from Samba on another server and it is failing

1. Export to a keytab file

   samba-tool domain exportkeytab --principal 
host/test.subdomain.example.com /var/lib/samba/test.keytab

2. Move the keytab file to another server

3. List keytab contents:

# klist -Kek test.keytab

   33 host/plasdcl.intranet.policlinicalaarboleda.com at AD.EXAMPLE.COM 
(aes256-cts-hmac-sha1-96)
   33 host/test.subdomain.example.com at AD.EXAMPLE.COM 
(aes128-cts-hmac-sha1-96)
   33 host/test.subdomain.example.com at AD.EXAMPLE.COM 
(DEPRECATED:arcfour-hmac)

4. Test the keytab with:

# KRB5_TRACE=/dev/stdout kinit -kt host.keytab -f 
host/test.subdomain.example.com at AD.EXAMPLE.COM

and get this: Client ... not found in Kerberos database while getting 
initial credentials, kinit log details below.

How is that possible if the keytab was exported a few minutes ago for 
that service. I have tried with other service names like imap and smtp.



[21800] 1650311064.140108: Getting initial credentials for 
host/test.subdomain.example.com at AD.EXAMPLE.COM
[21800] 1650311064.140109: Looked up etypes in keytab: aes256-cts, 
aes128-cts, rc4-hmac
[21800] 1650311064.140111: Sending unauthenticated request
[21800] 1650311064.140112: Sending request (278 bytes) to AD.EXAMPLE.COM
[21800] 1650311064.140113: Initiating TCP connection to stream 
192.168.100.2:88
[21800] 1650311064.140114: Sending TCP request to stream 192.168.100.2:88
[21800] 1650311064.140115: Received answer (225 bytes) from stream 
192.168.100.2:88
[21800] 1650311064.140116: Terminating TCP connection to stream 
192.168.100.2:88
[21800] 1650311064.140117: Response was from master KDC
[21800] 1650311064.140118: Received error from KDC: -1765328378/Client 
not found in Kerberos database
kinit: Client 'host/test.subdomain.example.com at AD.EXAMPLE.COM' not found 
in Kerberos database while getting initial credentials







More information about the samba mailing list