[Samba] Usage of the machine account for ldapsearch

Christian chanlists at googlemail.com
Wed Feb 18 07:53:56 UTC 2026 

On 2/16/26 08:07, Matthias Kühne | Ellerhold Aktiengesellschaft via 
samba wrote:
> Hello Christian,
>
> Thanks! Ive got the Keytab now and klist -kte /etc/krb5.keytab shows
> entries, but using kinit on them leads to an error:
>
> kinit -kt /etc/krb5.keytab 'host/my-host at AD.ELLERHOLD.LAN'
> kinit: Client 'host/my-host at AD.ELLERHOLD.LAN' not found in Kerberos
> database while getting initial credentials
>
> Using kinit with 'my-host$@AD.ELLERHOLD.LAN' works though, but the
> ldapsearch doesnt work:
>
> ldapsearch -Q -o ldif-wrap=no -Y GSSAPI -H ldaps://dc1.ad.ellerhold.lan
> -b dc=AD,DC=ELLERHOLD,DC=LAN
> ldap_sasl_interactive_bind: Invalid credentials (49)
>       additional info: 80090346: LdapErr: DSID-0C090711, comment:
> AcceptSecurityContext error, data 35b, v1db1
>
> Any idea what Im doing wrong?
>
> Thanks and have a nice day!

Hm. For the ldapsearch, try with ldap instead of with ldaps. And without 
-Q.

As for the keytab, what is the sanitized output of

ktutil list

(assuming heimdal ktutil)? Or

ktutil
rkt /etc/krb5.keytab
list -te

(assuming MIT ktutil)?

What is the sanitized output of

samba-tool spn list 'my-host$' ?

Best

Christian

> Am 13.02.26 um 16:42 schrieb Christian via samba:
>> Hi Matthias,
>>
>> if you run winbind on that machine, you can also have winbind maintain
>> the kerberos keytab /etc/krb5.keytab for you, even if you do not use
>> it in PAM or NSS.
>>
>> We use the following keytab related settings in smb.conf:
>>
>>          kerberos method = secrets only
>>          sync machine password to keytab =
>> "/etc/krb5.keytab:sync_account_name:sync_upn:sync_spns:spn_prefixes=host:sync_etypes:sync_kvno:additional_dns_hostnames:machine_password"
>>
>> Best wishes
>>
>> Christian
>>
>> On 2/4/26 12:43, Stefan Kania via samba wrote:
>>> Hi Matthias,
>>>
>>> first you need to create a keytab for your principal with:
>>>
>>> samba-tool domain exportkeytab --principal=youraccount at YOUR.REALM
>>> /path/for/keytab/youraccount.keytab
>>>
>>> Then, if you want to use the keytab for authentication with the
>>> ldap-tools do
>>>
>>> kinit -k -t /path/for/keytab/youraccount.keytab youraccount
>>>
>>> create a ldap.conf with the right URI and BASE then do a
>>>
>>> ldapsearch
>>>
>>> without any arguments this should list all the Objects youraccount
>>> has prmission to see.
>>>
>>>
>>>
>>> Am 04.02.26 um 07:45 schrieb Matthias Kühne | Ellerhold
>>> Aktiengesellschaft via samba:
>>>> I can run kinit 'TEST-SERVER$@AD.ELLERHOLD.LAN' and it prompts me for a
>>>> PW. There must be a keytab somewhere on this server that I can use,
>>>> right?
>>> Matrix: @stkania:matrix.org
>>> ---------------------
>>>

More information about the samba mailing list