[Samba] Asking help exporing a valid keytab file for cups http
Thorsten Otto
mail at thorstenotto.de
Fri Jun 20 03:52:36 UTC 2025
Hello and thanks again for your answer.
But shouldn't the "kinit" with the exported keytab work also if I don't
need it?
And how can I use the HOST principal for cups if the keytab isn't
working?
Thorsten
Am Donnerstag, dem 19.06.2025 um 19:07 +0100 schrieb Rowland Penny via
samba:
> On Thu, 19 Jun 2025 19:11:45 +0200
> Thorsten Otto via samba <samba at lists.samba.org> wrote:
>
> > Thank you so much for your answer.
> >
> > Am Donnerstag, dem 19.06.2025 um 17:19 +0100 schrieb Rowland Penny
> > via
> > samba:
> > > On Thu, 19 Jun 2025 16:34:33 +0200
> > > Thorsten Otto via samba <samba at lists.samba.org> wrote:
> > >
> >
> > > >
> > > > root at dc:~# samba-tool spn add
> > > > HTTP/cupsserver.domain.tld at DOMAIN.TLD cupsserver$
> > > > root at dc:~# samba-tool spn list cupsserver$
> > > > cupsserver$
> > > > User
> > > > CN=CUPSSERVER,OU=Dateiserver,OU=Linux,OU=Rechner,DC=domain,DC=t
> > > > ld
> > > > has the following servicePrincipalName:
> > > > HOST/CUPSSERVER
> > > > HOST/cupsserver.domain.tld
> > > > HTTP/cupsserver.domain.tld at DOMAIN.TLD
> > >
> > > That is another mistake, 'HOST' is a placeholder for other
> > > services
> > > (amongst which is 'HTTP'), you can see the entire list with:
> >
> > I did not create the HOST entries. They must have been put there by
> > samba or another service.
>
> I wasn't referring to the 'HOST' part, I was referring to the 'HTTP'
> part, you do not need it.
>
> > >
> > > sudo ldbsearch --cross-ncs --show-binary -H
> > > /var/lib/samba/private/sam.ldb -P -b
> > > 'dc=samdom,dc=example,dc=com'
> > > -s sub '(sPNMappings=*)' sPNMappings
>
> If you replace the '-P' above with '--use-kerberos', it still works,
> but using kerberos.
>
> > >
> > > Which should produced something like this:
> > > # record 1
> > > dn: CN=Directory Service,CN=Windows
> > > NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com
> > > sPNMappings:
> > > host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicat
> > > or,e
> > > ventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msi
> > > serv
> > > er,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugpla
> > > y,pr
> > > otectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,sams
> > > s,sc
> > > ardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,schedule,tapisr
> > > v,tr
> > > ksvr,trkwks,ups,time,wins,www,http,w3svc,iisadmin,msdtc
> > >
> > > I hope you can see from that, you should be able to use the
> > > servers
> > > host key.
> >
> > > Rowland
> > >
> >
> > I get the same output for the mappings. But I don't reallly
> > understand
> > how I could use that for the http authentication. I did tried these
> > steps and got the same error as before
>
> What I am saying is, you should not need the 'HTTP' SPN, because the
> standard 'HOST' SPN should cover it.
>
> Rowland
More information about the samba
mailing list