[Samba] Usage of the machine account for ldapsearch

Rowland Penny rpenny at samba.org
Wed Feb 18 10:28:03 UTC 2026 

On Wed, 18 Feb 2026 08:53:56 +0100
Christian via samba <samba at lists.samba.org> wrote:

> On 2/16/26 08:07, Matthias Kühne | Ellerhold Aktiengesellschaft via 
> samba wrote:
> > Hello Christian,
> >
> > Thanks! Ive got the Keytab now and klist -kte /etc/krb5.keytab shows
> > entries, but using kinit on them leads to an error:
> >
> > kinit -kt /etc/krb5.keytab 'host/my-host at AD.ELLERHOLD.LAN'
> > kinit: Client 'host/my-host at AD.ELLERHOLD.LAN' not found in Kerberos
> > database while getting initial credentials
> >
> > Using kinit with 'my-host$@AD.ELLERHOLD.LAN' works though, but the
> > ldapsearch doesnt work:
> >
> > ldapsearch -Q -o ldif-wrap=no -Y GSSAPI -H
> > ldaps://dc1.ad.ellerhold.lan -b dc=AD,DC=ELLERHOLD,DC=LAN
> > ldap_sasl_interactive_bind: Invalid credentials (49)
> >       additional info: 80090346: LdapErr: DSID-0C090711, comment:
> > AcceptSecurityContext error, data 35b, v1db1
> >
> > Any idea what Im doing wrong?
> >
> > Thanks and have a nice day!
> 
> Hm. For the ldapsearch, try with ldap instead of with ldaps. And
> without -Q.
> 
> As for the keytab, what is the sanitized output of
> 
> ktutil list
> 
> (assuming heimdal ktutil)? Or
> 
> ktutil
> rkt /etc/krb5.keytab
> list -te
> 
> (assuming MIT ktutil)?
> 
> What is the sanitized output of
> 
> samba-tool spn list 'my-host$' ?
> 
> Best
> 
> Christian
> 

You do not need to kinit to use a computers kerberos ticket and even if
you do kinit using a computers keytab, it probably will not work.

OK, a computer is really just a user with an extra objectclass, but it
also lacks something, a UPN.

If I check for a keytab on a Debian 13 domain joined computer running
Samba 4.23.5 , I get this:

adminuser at debian13:~$ ls /etc/krb5.keytab
ls: cannot access '/etc/krb5.keytab': No such file or directory

So, no keytab

If I try to run ldapsearch, I get this:

adminuser at debian13:~$ sudo ldapsearch -Q -o ldif-wrap=no -Y GSSAPI -H ldap://dc01.samdom.example.com -b dc=SAMDOM,DC=EXAMPLE,DC=COM
ldap_sasl_interactive_bind: Unknown authentication method (-6)
	additional info: SASL(-4): no mechanism available: No worthy mechs found

However, if I use a similar ldbsearch:

adminuser at debian13:~$ sudo ldbsearch -P --show-binary -H ldap://dc01.samdom.example.com -b dc=SAMDOM,DC=EXAMPLE,DC=COM

I get an AD dump

If you insist on using ldapsearch, you are going to have to do one of
two things, either use an actual user instead of the computer, or give
the computer a UPN.

Rowland

More information about the samba mailing list