[Samba] Asking help exporing a valid keytab file for cups http
Rowland Penny
rpenny at samba.org
Thu Jun 19 16:19:17 UTC 2025
On Thu, 19 Jun 2025 16:34:33 +0200
Thorsten Otto via samba <samba at lists.samba.org> wrote:
> Hello everyone,
>
> I spent days on creating a valid keytab file for a cups server without
> success and I'd kindly ask for help.
>
> The cups server is running on a host named cupsserver which is a
> domain member in a samba 4 ad domain called domain.tld.
> Everything is running on Debian 12 Bookworm. Samba is using heimdal
> kerberos with realm DOMAIN.TLD
Have you tried Samba from bookworm backports ?
>
> On the primary domain controller I do:
A bit nit-picking here, but you do not have a primary DC, all DCs are
equal , it is just that one has the PDC_emulator FSMO role.
>
> root at dc:~# samba-tool spn add HTTP/cupsserver.domain.tld at DOMAIN.TLD
> cupsserver$
> root at dc:~# samba-tool spn list cupsserver$
> cupsserver$
> User CN=CUPSSERVER,OU=Dateiserver,OU=Linux,OU=Rechner,DC=domain,DC=tld
> has the following servicePrincipalName:
> HOST/CUPSSERVER
> HOST/cupsserver.domain.tld
> HTTP/cupsserver.domain.tld at DOMAIN.TLD
That is another mistake, 'HOST' is a placeholder for other services
(amongst which is 'HTTP'), you can see the entire list with:
sudo ldbsearch --cross-ncs --show-binary -H
/var/lib/samba/private/sam.ldb -P -b 'dc=samdom,dc=example,dc=com' -s
sub '(sPNMappings=*)' sPNMappings
Which should produced something like this:
# record 1
dn: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com
sPNMappings: host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicator,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc,iisadmin,msdtc
I hope you can see from that, you should be able to use the servers
host key.
Rowland
More information about the samba
mailing list