[Samba] Asking help exporing a valid keytab file for cups http

Thorsten Otto mail at thorstenotto.de
Fri Jun 20 10:57:10 UTC 2025 

Hi Rowland,

thanks again for your support.

With your hints I seemingly got a bit further. But probably I am
lacking to many basics.

I added the userPrincipalName via samba-tool computer edit cupsserver$

I tried four variations (one after the other, not at once):

userPrincipalName: host/cupsserver.domain.tld
userPrincipalName: host/cupsserver.domain.tld at DOMAIN.TLD
userPrincipalName: HOST/cupsserver.domain.tld
userPrincipalName: HOST/cupsserver.domain.tld at DOMAIN.TLD

In every case I didn't get a ticket with

kinit -k -t test.keytab http/cupsserver.domain.tld
kinit -k -t test.keytab http/cupsserver.domain.tld at DOMAIN.TLD
kinit -k -t test.keytab HTTP/cupsserver.domain.tld
kinit -k -t test.keytab HTTP/cupsserver.domain.tld at DOMAIN.TLD

but the error message changed to:

kinit: Client »HTTP/ewsfs.wetek.intern at WETEK.INTERN« wurde nicht in der
Kerberos-Datenbank gefunden bei Anfängliche Anmeldedaten werden geholt.
(kinit: Client 'host/devstation.samdom.example.com at SAMDOM.EXAMPLE.COM'
not found in Kerberos database while getting initial credentials)

before it was:
kinit: krb5_get_init_creds: Client
(HTTP/cupsserver.domain.tld at DOMAIN.TLD) unknown

Best regards, Thorsten


Am Freitag, dem 20.06.2025 um 09:21 +0100 schrieb Rowland Penny via
samba:
> On Fri, 20 Jun 2025 05:52:36 +0200
> Thorsten Otto via samba <samba at lists.samba.org> wrote:
> 
> > Hello and thanks again for your answer.
> > 
> > But shouldn't the "kinit" with the exported keytab work also if I
> > don't need it?
> > 
> > And how can I use the HOST principal for cups if the keytab isn't
> > working?
> > 
> > Thorsten
> > 
> > 
> 
> I normally do not use a computer keytab on Linux, so just naively
> believed it would work, it doesn't :-(
> 
> What does work, you can export a keytab with the 'http' SPN prefix
> without there actually being any such SPN in AD, provided there is a
> SPN that starts with 'host'.
> 
> If you try to use the keytab, you get this:
> 
> kinit: Client 'host/devstation.samdom.example.com at SAMDOM.EXAMPLE.COM'
> not found in Kerberos database while getting initial credentials
> 
> When there is quite obviously a servicePrincipalName attribute
> containing that in AD.
> 
> I stared at the computers object for quite sometime until it hit me,
> while 'devstation' had a few SPNs, it didn't have a userPrincipalName
> attribute, so adding:
> 
> userPrincipalName:
> host/devstation.samdom.example.com at SAMDOM.EXAMPLE.COM
> 
> Lead to a successful kinit, which lead to this:
> 
> rowland at devstation:~$ sudo klist
> Ticket cache: FILE:/tmp/krb5cc_11104
> Default principal:
> host/devstation.samdom.example.com at SAMDOM.EXAMPLE.COM
> 
> Valid starting     Expires            Service principal
> 20/06/25 09:07:17  20/06/25 19:07:17 
> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> 	renew until 21/06/25 09:07:17
> 
> Hope this helps.
> 
> Rowland

More information about the samba mailing list