[Samba] Usage of the machine account for ldapsearch
Christian
chanlists at googlemail.com
Fri Feb 13 15:42:35 UTC 2026
Hi Matthias,
if you run winbind on that machine, you can also have winbind maintain
the kerberos keytab /etc/krb5.keytab for you, even if you do not use it
in PAM or NSS.
We use the following keytab related settings in smb.conf:
kerberos method = secrets only
sync machine password to keytab =
"/etc/krb5.keytab:sync_account_name:sync_upn:sync_spns:spn_prefixes=host:sync_etypes:sync_kvno:additional_dns_hostnames:machine_password"
Best wishes
Christian
On 2/4/26 12:43, Stefan Kania via samba wrote:
> Hi Matthias,
>
> first you need to create a keytab for your principal with:
>
> samba-tool domain exportkeytab --principal=youraccount at YOUR.REALM
> /path/for/keytab/youraccount.keytab
>
> Then, if you want to use the keytab for authentication with the
> ldap-tools do
>
> kinit -k -t /path/for/keytab/youraccount.keytab youraccount
>
> create a ldap.conf with the right URI and BASE then do a
>
> ldapsearch
>
> without any arguments this should list all the Objects youraccount has
> prmission to see.
>
>
>
> Am 04.02.26 um 07:45 schrieb Matthias Kühne | Ellerhold
> Aktiengesellschaft via samba:
>> I can run kinit 'TEST-SERVER$@AD.ELLERHOLD.LAN' and it prompts me for a
>> PW. There must be a keytab somewhere on this server that I can use,
>> right?
>
> Matrix: @stkania:matrix.org
> ---------------------
>
More information about the samba
mailing list