[Samba] Usage of the machine account for ldapsearch
Rowland Penny
rpenny at samba.org
Mon Feb 16 15:55:34 UTC 2026
On Mon, 16 Feb 2026 08:07:46 +0100
Matthias Kühne | Ellerhold Aktiengesellschaft via samba
<samba at lists.samba.org> wrote:
> Hello Christian,
>
> Thanks! Ive got the Keytab now and klist -kte /etc/krb5.keytab shows
> entries, but using kinit on them leads to an error:
>
> kinit -kt /etc/krb5.keytab 'host/my-host at AD.ELLERHOLD.LAN'
> kinit: Client 'host/my-host at AD.ELLERHOLD.LAN' not found in Kerberos
> database while getting initial credentials
>
> Using kinit with 'my-host$@AD.ELLERHOLD.LAN' works though, but the
> ldapsearch doesnt work:
You shouldn't need to run kinit, the 'machine ticket' is in memory.
>
> ldapsearch -Q -o ldif-wrap=no -Y GSSAPI -H
> ldaps://dc1.ad.ellerhold.lan -b dc=AD,DC=ELLERHOLD,DC=LAN
> ldap_sasl_interactive_bind: Invalid credentials (49)
> additional info: 80090346: LdapErr: DSID-0C090711, comment:
> AcceptSecurityContext error, data 35b, v1db1
>
> Any idea what Im doing wrong?
Not entirely sure, I tested this against one of my Samba DCs:
sudo ldapsearch -Q -o ldif-wrap=no -Y GSSAPI -H
ldap://dc01.samdom.example.com -b dc=SAMDOM,DC=EXAMPLE,DC=COM
NOTE: I added 'ldap server require strong auth = no' to the DC, to take
ldaps out of the picture.
I ran the above command and got a dump of my AD domain.
I didn't kinit as the computer, winbind does this for you and, as I
said, it puts the kerberos ticket in memory.
Rowland
More information about the samba
mailing list