[Samba] Asking help exporing a valid keytab file for cups http

Thorsten Otto mail at thorstenotto.de
Thu Jun 19 17:11:45 UTC 2025 

Thank you so much for your answer.

Am Donnerstag, dem 19.06.2025 um 17:19 +0100 schrieb Rowland Penny via
samba:
> On Thu, 19 Jun 2025 16:34:33 +0200
> Thorsten Otto via samba <samba at lists.samba.org> wrote:
> 
> > Hello everyone,
> > 
> > I spent days on creating a valid keytab file for a cups server
> > without
> > success and I'd kindly ask for help.
> > 
> > The cups server is running on a host named cupsserver which is a
> > domain member in a samba 4 ad domain called domain.tld.
> > Everything is running on Debian 12 Bookworm. Samba is using heimdal
> > kerberos with realm DOMAIN.TLD
> 
> Have you tried Samba from bookworm backports ?

Yes, I did. Additionally I made fresh apt full-upgrade -t bookworm-
backports and rebooted right now.
> 
> > 
> > On the primary domain controller I do:
> 
> A bit nit-picking here, but you do not have a primary DC, all DCs are
> equal , it is just that one has the PDC_emulator FSMO role.
> 
> > 
> > root at dc:~# samba-tool spn add HTTP/cupsserver.domain.tld at DOMAIN.TLD
> > cupsserver$
> > root at dc:~# samba-tool spn list cupsserver$
> > cupsserver$
> > User
> > CN=CUPSSERVER,OU=Dateiserver,OU=Linux,OU=Rechner,DC=domain,DC=tld
> > has the following servicePrincipalName: 
> > 	 HOST/CUPSSERVER
> > 	 HOST/cupsserver.domain.tld
> > 	 HTTP/cupsserver.domain.tld at DOMAIN.TLD
> 
> That is another mistake, 'HOST' is a placeholder for other services
> (amongst which is 'HTTP'), you can see the entire list with:

I did not create the HOST entries. They must have been put there by
samba or another service.
> 
> sudo ldbsearch --cross-ncs --show-binary -H
> /var/lib/samba/private/sam.ldb -P -b 'dc=samdom,dc=example,dc=com' -s
> sub '(sPNMappings=*)' sPNMappings
> 
> Which should produced something like this:
> # record 1
> dn: CN=Directory Service,CN=Windows
> NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com
> sPNMappings:
> host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicator,e
> ventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserv
> er,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,pr
> otectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,sc
> ardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,tr
> ksvr,trkwks,ups,time,wins,www,http,w3svc,iisadmin,msdtc
> 
> I hope you can see from that, you should be able to use the servers
> host key.

> Rowland
> 

I get the same output for the mappings. But I don't reallly understand
how I could use that for the http authentication. I did tried these
steps and got the same error as before

root at dc:~# samba-tool domain exportkeytab test.keytab --
principal=HOST/cupsserver.domain.tld
Export one principal to test.keytab
root at dc:~# samba-tool domain exportkeytab test.keytab --
principal=HOST/CUPSSERVER
Export one principal to test.keytab
root at dc:~# ktutil -k test.keytab list
test.keytab:

Vno  Type                     Principal                            
Aliases
228  aes256-cts-hmac-sha1-96  HOST/cupsserver.domain.tld at DOMAIN.TLD  
228  aes128-cts-hmac-sha1-96  HOST/cupsserver.domain.tld at DOMAIN.TLD  
228  arcfour-hmac-md5         HOST/cupsserver.domain.tld at DOMAIN.TLD  
227  aes256-cts-hmac-sha1-96  HOST/cupsserver.domain.tld at DOMAIN.TLD  
227  aes128-cts-hmac-sha1-96  HOST/cupsserver.domain.tld at DOMAIN.TLD  
226  aes256-cts-hmac-sha1-96  HOST/cupsserver.domain.tld at DOMAIN.TLD  
226  aes128-cts-hmac-sha1-96  HOST/cupsserver.domain.tld at DOMAIN.TLD  
228  aes256-cts-hmac-sha1-96  HOST/CUPSSERVER at DOMAIN.TLD               
228  aes128-cts-hmac-sha1-96  HOST/CUPSSERVER at DOMAIN.TLD               
228  arcfour-hmac-md5         HOST/CUPSSERVER at DOMAIN.TLD               
227  aes256-cts-hmac-sha1-96  HOST/CUPSSERVER at DOMAIN.TLD               
227  aes128-cts-hmac-sha1-96  HOST/CUPSSERVER at DOMAIN.TLD               
226  aes256-cts-hmac-sha1-96  HOST/CUPSSERVER at DOMAIN.TLD               
226  aes128-cts-hmac-sha1-96  HOST/CUPSSERVER at DOMAIN.TLD               
root at dc:~# kinit -k -t test.keytab HTTP/cupsserver.domain.tld
kinit: krb5_init_creds_set_keytab: Failed to find
HTTP/cupsserver.domain.tld at DOMAIN.TLD in keytab FILE:test.keytab
(unknown enctype)
root at dc:~# kinit -k -t test.keytab HOST/cupsserver.domain.tld
kinit: krb5_get_init_creds: Client
(HOST/cupsserver.domain.tld at DOMAIN.TLD) unknown
root at dc:~# kinit -k -t test.keytab HOST/CUPSSERVER
kinit: krb5_get_init_creds: Client (HOST/CUPSSERVER at DOMAIN.TLD) unknown
root at dc:~# kinit -k -t test.keytab
HTTP/cupsserver.domain.tld at DOMAIN.TLD
kinit: krb5_init_creds_set_keytab: Failed to find
HTTP/cupsserver.domain.tld at DOMAIN.TLD in keytab FILE:test.keytab
(unknown enctype)
root at dc:~# kinit -k -t test.keytab
HOST/cupsserver.domain.tld at DOMAIN.TLD
kinit: krb5_get_init_creds: Client
(HOST/cupsserver.domain.tld at DOMAIN.TLD) unknown
root at dc:~# kinit -k -t test.keytab HOST/CUPSSERVER at DOMAIN.TLD
kinit: krb5_get_init_creds: Client (HOST/CUPSSERVER at DOMAIN.TLD) unknown

More information about the samba mailing list