[Samba] Generating Keytab for Service Principal

Armin K. elkrejzi at gmail.com
Thu Dec 14 18:39:33 UTC 2023 

Hello everyone. I am stuck on this for what seems to be days. Not sure
what am I doing wrong.

I am following the guide located at
https://wiki.samba.org/index.php/Generating_Keytabs

I am running commands on the domain controller. smb.conf shown below.

Now, I am trying to get Keycloak to perform SPNEGO authentication
using SPN, and I have used the following commands to create a LDAP
BIND DN, add a service principal to it, and tried - but failed
repeatedly - to generate a keytab file as well.

$ sudo samba-tool user add keycloak str0ngP4ssw0rd
$ sudo samba-tool user setexpiry --noexpiry keycloak

$ sudo samba-tool spn add HTTP/login.samdom.net at home.samdom.net keycloak
$ sudo samba-tool spn add HTTP/keycloak at home.samdom.net keycloak

Output below:

User 'keycloak' added successfully
Expiry for user 'keycloak' disabled.

$ sudo samba-tool user show keycloak

mentions the service principals

---
servicePrincipalName: HTTP/login.samdom.net at home.samdom.net
servicePrincipalName: HTTP/keycloak at home.samdom.net
userAccountControl: 66048
---

(as a side note, I have also added userAccountControl, which,
according to the decoder means "normal account" and "don't expire
password")

Now, the moment of truth

$ sudo samba-tool domain exportkeytab keycloak.keytab
--principal=HTTP/login.samdom.net at home.samdom.net
Export one principal to keycloak.keytab
]$ ls keycloak.keytab
ls: cannot access 'keycloak.keytab': No such file or directory

While it says that it exported the keytab, no file exists anywhere. I
can export keytab for the keycloak user created above, and output is
slightly different

$ sudo samba-tool domain exportkeytab keycloak.keytab
--principal=keycloak at home.samdom.net
Export one principal to keycloak.keytab

sudo klist -kt keycloak.keytab
Keytab name: FILE:keycloak.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 12/14/2023 15:52:32 keycloak at HOME.SAMDOM.NET
   2 12/14/2023 15:52:32 keycloak at HOME.SAMDOM.NET
   2 12/14/2023 15:52:32 keycloak at HOME.SAMDOM.NET

I am also able to export keytab for service principals belonging to
SERVER$ computer

$ sudo samba-tool computer show SERVER$

---
servicePrincipalName: HOST/server.home.samdom.net/home.samdom.net
---

$ sudo samba-tool domain exportkeytab keycloak.keytab
--principal=HOST/server.home.samdom.net/home.samdom.net
Export one principal to keycloak.keytab

$ sudo klist -kt keycloak.keytab
Keytab name: FILE:keycloak.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 12/14/2023 15:55:57
HOST/server.home.samdom.net/home.samdom.net at HOME.SAMDOM.NET
   1 12/14/2023 15:55:57
HOST/server.home.samdom.net/home.samdom.net at HOME.SAMDOM.NET
   1 12/14/2023 15:55:57
HOST/server.home.samdom.net/home.samdom.net at HOME.SAMDOM.NET

I am baffled why I can't export any principal for the created keycloak
user. As a side note, I have also tried creating keycloak user as a
computer named KEYCLOAK$, but I still could not export the SPN.

I am running samba version 4.19.3 on ArchLinux ARM on Raspberry PI 4,
aarch64 build.

Does anyone have any idea how to generate the keytab file for my SPNs?

Thank you very much.

### Begin smb.conf
[global]
        interfaces = 127.0.0.1 192.168.0.2
        netbios name = SERVER
        realm = HOME.SAMDOM.NET
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = HOME
        idmap_ldb:use rfc2307 = yes
        ntlm auth = mschapv2-and-ntlmv2-only

        tls enabled  = yes
        tls keyfile  = /etc/samba/tls/key.pem
        tls certfile = /etc/samba/tls/cert.pem
        tls cafile   = /etc/samba/tls/ca.pem

        #log level = 3

        template shell = /bin/bash
        template homedir = /home/%U

        winbind use default domain = true
        winbind nss info = rfc2307

        winbind offline logon = true
        winbind refresh tickets = yes

        winbind enum users = yes
        winbind enum groups = yes

        usershare path = /var/lib/samba/usershares
        usershare max shares = 100
        usershare prefix allow list = /srv/share

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/home.samdom.net/scripts
        read only = No
### End smb.conf

More information about the samba mailing list