[Samba] Asking help exporing a valid keytab file for cups http

Rowland Penny rpenny at samba.org
Thu Jun 19 16:19:17 UTC 2025


On Thu, 19 Jun 2025 16:34:33 +0200
Thorsten Otto via samba <samba at lists.samba.org> wrote:

> Hello everyone,
> 
> I spent days on creating a valid keytab file for a cups server without
> success and I'd kindly ask for help.
> 
> The cups server is running on a host named cupsserver which is a
> domain member in a samba 4 ad domain called domain.tld.
> Everything is running on Debian 12 Bookworm. Samba is using heimdal
> kerberos with realm DOMAIN.TLD

Have you tried Samba from bookworm backports ?

> 
> On the primary domain controller I do:

A bit nit-picking here, but you do not have a primary DC, all DCs are
equal , it is just that one has the PDC_emulator FSMO role.

> 
> root at dc:~# samba-tool spn add HTTP/cupsserver.domain.tld at DOMAIN.TLD
> cupsserver$
> root at dc:~# samba-tool spn list cupsserver$
> cupsserver$
> User CN=CUPSSERVER,OU=Dateiserver,OU=Linux,OU=Rechner,DC=domain,DC=tld
> has the following servicePrincipalName: 
> 	 HOST/CUPSSERVER
> 	 HOST/cupsserver.domain.tld
> 	 HTTP/cupsserver.domain.tld at DOMAIN.TLD

That is another mistake, 'HOST' is a placeholder for other services
(amongst which is 'HTTP'), you can see the entire list with:

sudo ldbsearch --cross-ncs --show-binary -H
/var/lib/samba/private/sam.ldb -P -b 'dc=samdom,dc=example,dc=com' -s
sub '(sPNMappings=*)' sPNMappings

Which should produced something like this:
# record 1
dn: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com
sPNMappings: host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicator,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc,iisadmin,msdtc

I hope you can see from that, you should be able to use the servers
host key.

Rowland




More information about the samba mailing list