[Samba] Asking help exporing a valid keytab file for cups http

Rowland Penny rpenny at samba.org
Sat Jun 21 11:07:22 UTC 2025 

On Fri, 20 Jun 2025 12:57:10 +0200
Thorsten Otto via samba <samba at lists.samba.org> wrote:

> Hi Rowland,
> 
> thanks again for your support.
> 
> With your hints I seemingly got a bit further. But probably I am
> lacking to many basics.
> 
> I added the userPrincipalName via samba-tool computer edit cupsserver$
> 
> I tried four variations (one after the other, not at once):
> 
> userPrincipalName: host/cupsserver.domain.tld
> userPrincipalName: host/cupsserver.domain.tld at DOMAIN.TLD
> userPrincipalName: HOST/cupsserver.domain.tld
> userPrincipalName: HOST/cupsserver.domain.tld at DOMAIN.TLD
> 
> In every case I didn't get a ticket with
> 
> kinit -k -t test.keytab http/cupsserver.domain.tld
> kinit -k -t test.keytab http/cupsserver.domain.tld at DOMAIN.TLD
> kinit -k -t test.keytab HTTP/cupsserver.domain.tld
> kinit -k -t test.keytab HTTP/cupsserver.domain.tld at DOMAIN.TLD
> 
> but the error message changed to:
> 
> kinit: Client »HTTP/ewsfs.wetek.intern at WETEK.INTERN« wurde nicht in
> der Kerberos-Datenbank gefunden bei Anfängliche Anmeldedaten werden
> geholt. (kinit: Client
> 'host/devstation.samdom.example.com at SAMDOM.EXAMPLE.COM' not found in
> Kerberos database while getting initial credentials)
> 
> before it was:
> kinit: krb5_get_init_creds: Client
> (HTTP/cupsserver.domain.tld at DOMAIN.TLD) unknown

OK, I started a Unix domain member in a VM, its hostname is the highly
original 'testmem1'.

I checked the AD object for 'testmem1' and among the output was this:

dn: CN=TESTMEM1,CN=Computers,DC=samdom,DC=example,DC=com
...............
servicePrincipalName: HOST/TESTMEM1.samdom.example.com
servicePrincipalName: RestrictedKrbHost/TESTMEM1.samdom.example.com

They were the only SPNs and there was no UPN, so I added one:

userPrincipalName: host/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM

I then exported a keytab with the required SPNs:
adminuser at rpidc1:~ $ sudo samba-tool domain exportkeytab test.keytab --principal=host/testmem1.samdom.example.com
Export one principal to test.keytab
adminuser at rpidc1:~ $ sudo samba-tool domain exportkeytab test.keytab --principal=http/testmem1.samdom.example.com
Export one principal to test.keytab

NOTE: I was able to export an SPN that doesn't exist in the computers
AD object.

Using ktutil shows this:

adminuser at rpidc1:~ $ sudo ktutil
ktutil:  rkt test.keytab 
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    4 host/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM
   2    4 host/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM
   3    4 host/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM
   4    3 host/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM
   5    3 host/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM
   6    3 host/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM
   7    2 host/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM
   8    2 host/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM
   9    2 host/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM
  10    4 http/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM
  11    4 http/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM
  12    4 http/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM
  13    3 http/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM
  14    3 http/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM
  15    2 http/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM
  16    2 http/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM
ktutil:  q

I then copied the keytab to 'testmem1':

adminuser at rpidc1:~ $ sudo scp test.keytab adminuser at testmem1:/home/adminuser/
adminuser at testmem1's password: 
test.keytab                                   100% 1666   437.5KB/s 00:00   

Then on 'testmem1' I used the keytab to get a ticket:

adminuser at testmem1:~$ sudo kinit -k -t test.keytab
adminuser at testmem1:~$

Running 'klist' produced this:

adminuser at testmem1:~$ sudo klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/testmem1.samdom.example.com at SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
21/06/25 11:52:55  21/06/25 21:52:55  krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
	renew until 22/06/25 11:52:55

Rowland

More information about the samba mailing list