[Samba] Usage of the machine account for ldapsearch
Matthias Kühne | Ellerhold Aktiengesellschaft
matthias.kuehne at ellerhold.de
Mon Feb 16 07:07:46 UTC 2026
Hello Christian,
Thanks! Ive got the Keytab now and klist -kte /etc/krb5.keytab shows
entries, but using kinit on them leads to an error:
kinit -kt /etc/krb5.keytab 'host/my-host at AD.ELLERHOLD.LAN'
kinit: Client 'host/my-host at AD.ELLERHOLD.LAN' not found in Kerberos
database while getting initial credentials
Using kinit with 'my-host$@AD.ELLERHOLD.LAN' works though, but the
ldapsearch doesnt work:
ldapsearch -Q -o ldif-wrap=no -Y GSSAPI -H ldaps://dc1.ad.ellerhold.lan
-b dc=AD,DC=ELLERHOLD,DC=LAN
ldap_sasl_interactive_bind: Invalid credentials (49)
additional info: 80090346: LdapErr: DSID-0C090711, comment:
AcceptSecurityContext error, data 35b, v1db1
Any idea what Im doing wrong?
Thanks and have a nice day!
Am 13.02.26 um 16:42 schrieb Christian via samba:
> Hi Matthias,
>
> if you run winbind on that machine, you can also have winbind maintain
> the kerberos keytab /etc/krb5.keytab for you, even if you do not use
> it in PAM or NSS.
>
> We use the following keytab related settings in smb.conf:
>
> kerberos method = secrets only
> sync machine password to keytab =
> "/etc/krb5.keytab:sync_account_name:sync_upn:sync_spns:spn_prefixes=host:sync_etypes:sync_kvno:additional_dns_hostnames:machine_password"
>
> Best wishes
>
> Christian
>
> On 2/4/26 12:43, Stefan Kania via samba wrote:
>> Hi Matthias,
>>
>> first you need to create a keytab for your principal with:
>>
>> samba-tool domain exportkeytab --principal=youraccount at YOUR.REALM
>> /path/for/keytab/youraccount.keytab
>>
>> Then, if you want to use the keytab for authentication with the
>> ldap-tools do
>>
>> kinit -k -t /path/for/keytab/youraccount.keytab youraccount
>>
>> create a ldap.conf with the right URI and BASE then do a
>>
>> ldapsearch
>>
>> without any arguments this should list all the Objects youraccount
>> has prmission to see.
>>
>>
>>
>> Am 04.02.26 um 07:45 schrieb Matthias Kühne | Ellerhold
>> Aktiengesellschaft via samba:
>>> I can run kinit 'TEST-SERVER$@AD.ELLERHOLD.LAN' and it prompts me for a
>>> PW. There must be a keytab somewhere on this server that I can use,
>>> right?
>>
>> Matrix: @stkania:matrix.org
>> ---------------------
>>
>
--
Senior Webentwickler
Datenschutzbeauftragter
Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul
Telefon: +49 (0) 351 83933-61
Web: www.ellerhold.de
Facebook: www.facebook.com/ellerhold.gruppe
Instagram: www.instagram.com/ellerhold.gruppe
LinkedIn: www.linkedin.com/company/ellerhold-gruppe
Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold
---
Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.
Unsere Hinweise zum Datenschutz finden Sie hier: https://www.ellerhold.de/datenschutz/
This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.
You can find our privacy policy here: https://www.ellerhold.de/datenschutz/
More information about the samba
mailing list