[Samba] Asking help exporing a valid keytab file for cups http

Thorsten Otto mail at thorstenotto.de
Thu Jun 19 14:34:33 UTC 2025 

Hello everyone,

I spent days on creating a valid keytab file for a cups server without
success and I'd kindly ask for help.

The cups server is running on a host named cupsserver which is a domain
member in a samba 4 ad domain called domain.tld.
Everything is running on Debian 12 Bookworm. Samba is using heimdal
kerberos with realm DOMAIN.TLD

On the primary domain controller I do:

root at dc:~# samba-tool spn add HTTP/cupsserver.domain.tld at DOMAIN.TLD
cupsserver$
root at dc:~# samba-tool spn list cupsserver$
cupsserver$
User CN=CUPSSERVER,OU=Dateiserver,OU=Linux,OU=Rechner,DC=domain,DC=tld
has the following servicePrincipalName: 
	 HOST/CUPSSERVER
	 HOST/cupsserver.domain.tld
	 HTTP/cupsserver.domain.tld at DOMAIN.TLD
root at dc:~# samba-tool domain exportkeytab test.keytab --
principal=HTTP/cupsserver.domain.tld
Export one principal to test.keytab
root at dc:~# ktutil -k test.keytab list
test.keytab:

Vno  Type                     Principal                            
Aliases
228  aes256-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD  
228  aes128-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD  
228  arcfour-hmac-md5         HTTP/cupsserver.domain.tld at DOMAIN.TLD  
227  aes256-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD  
227  aes128-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD  
226  aes256-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD  
226  aes128-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD  
root at dc:~# kinit -k -t test.keytab
HTTP/cupsserver.domain.tld at DOMAIN.TLD
kinit: krb5_get_init_creds: Client
(HTTP/cupsserver.domain.tld at DOMAIN.TLD) unknown
root at dc:~# 

That's pretty much what I achieved. I tried the same without adding the
realm at the end of the principal name, like it is in many examples
over the web, but that doesnt change anything.

I checked dns, service records, changing the enctypes and much more but
the last answer is always "client unknown" The system, one pdc and 10
additional dcs, one for each site of the company, has been working well
and stable for years now.

I'd be really glad about any hint you could give me.

Thanks in advance
Thorsten

More information about the samba mailing list