[Samba] Usage of the machine account for ldapsearch

Matthias Kühne | Ellerhold Aktiengesellschaft matthias.kuehne at ellerhold.de
Wed Feb 18 12:11:28 UTC 2026 

Hello,

thanks Christian that was it. It works now!

Thats what I did:

1) Edit smb.conf and add

sync machine password to keytab = 
"/etc/krb5.keytab:sync_account_name:sync_upn:sync_spns:spn_prefixes=host:sync_etypes:sync_kvno:additional_dns_hostnames:machine_password"

2) Restart winbindd

The /etc/krb5.keytab exists

klist -kte /etc/krb5.keytab shows ~ 42 entries

ldapsearch does not work yet!

After setting KRB5CCNAME=/etc/krb5.keytab

klist -k shows the tickets, but no credentials! ldapsearch throws

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Local error (-2)
     additional info: SASL(-1): generic failure: GSSAPI Error: No 
credentials were supplied, or the credentials were unavailable or 
inaccessible (No Kerberos credentials available: Bad format in 
credentials cache (filename: /etc/krb5.keytab))

So we have a ticket, but no credentials?

unset KRB5CCNAME

3) kinit -kt /etc/krb5.keytab 'MY-HOST$@AD.ELLERHOLD.LAN'

Now "klist" shows my credential and ldapsearch works!

4) ldapsearch -o ldif-wrap=no -Y GSSAPI -H ldap://dc1.ad.ellerhold.lan 
-b dc=AD,DC=ELLERHOLD,DC=LAN

Thanks Christian!


@Rowland: I tried ldbsearch again and it got hung up on the "-P" option 
which does not exist on my samba version.

Turns out: I installed the wrong version of ldb-tools. Using the right 
version (from Samba 4.23) it works!

ldbsearch -P -H ldap://dc1.ad.ellerhold.lan -b dc=AD,dc=ELLERHOLD,dc=LAN

I dont need to edit the smb.conf or use kinit.

Thanks!!


Have a nice day,
Matthias.


Am 18.02.26 um 11:28 schrieb Rowland Penny via samba:
> On Wed, 18 Feb 2026 08:53:56 +0100
> Christian via samba <samba at lists.samba.org> wrote:
>
>> On 2/16/26 08:07, Matthias Kühne | Ellerhold Aktiengesellschaft via
>> samba wrote:
>>> Hello Christian,
>>>
>>> Thanks! Ive got the Keytab now and klist -kte /etc/krb5.keytab shows
>>> entries, but using kinit on them leads to an error:
>>>
>>> kinit -kt /etc/krb5.keytab 'host/my-host at AD.ELLERHOLD.LAN'
>>> kinit: Client 'host/my-host at AD.ELLERHOLD.LAN' not found in Kerberos
>>> database while getting initial credentials
>>>
>>> Using kinit with 'my-host$@AD.ELLERHOLD.LAN' works though, but the
>>> ldapsearch doesnt work:
>>>
>>> ldapsearch -Q -o ldif-wrap=no -Y GSSAPI -H
>>> ldaps://dc1.ad.ellerhold.lan -b dc=AD,DC=ELLERHOLD,DC=LAN
>>> ldap_sasl_interactive_bind: Invalid credentials (49)
>>>        additional info: 80090346: LdapErr: DSID-0C090711, comment:
>>> AcceptSecurityContext error, data 35b, v1db1
>>>
>>> Any idea what Im doing wrong?
>>>
>>> Thanks and have a nice day!
>> Hm. For the ldapsearch, try with ldap instead of with ldaps. And
>> without -Q.
>>
>> As for the keytab, what is the sanitized output of
>>
>> ktutil list
>>
>> (assuming heimdal ktutil)? Or
>>
>> ktutil
>> rkt /etc/krb5.keytab
>> list -te
>>
>> (assuming MIT ktutil)?
>>
>> What is the sanitized output of
>>
>> samba-tool spn list 'my-host$' ?
>>
>> Best
>>
>> Christian
>>
> You do not need to kinit to use a computers kerberos ticket and even if
> you do kinit using a computers keytab, it probably will not work.
>
> OK, a computer is really just a user with an extra objectclass, but it
> also lacks something, a UPN.
>
> If I check for a keytab on a Debian 13 domain joined computer running
> Samba 4.23.5 , I get this:
>
> adminuser at debian13:~$ ls /etc/krb5.keytab
> ls: cannot access '/etc/krb5.keytab': No such file or directory
>
> So, no keytab
>
> If I try to run ldapsearch, I get this:
>
> adminuser at debian13:~$ sudo ldapsearch -Q -o ldif-wrap=no -Y GSSAPI -H ldap://dc01.samdom.example.com -b dc=SAMDOM,DC=EXAMPLE,DC=COM
> ldap_sasl_interactive_bind: Unknown authentication method (-6)
> 	additional info: SASL(-4): no mechanism available: No worthy mechs found
>
> However, if I use a similar ldbsearch:
>
> adminuser at debian13:~$ sudo ldbsearch -P --show-binary -H ldap://dc01.samdom.example.com -b dc=SAMDOM,DC=EXAMPLE,DC=COM
>
> I get an AD dump
>
> If you insist on using ldapsearch, you are going to have to do one of
> two things, either use an actual user instead of the computer, or give
> the computer a UPN.
>
> Rowland
>
-- 
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Web: www.ellerhold.de
Facebook: www.facebook.com/ellerhold.gruppe
Instagram: www.instagram.com/ellerhold.gruppe
LinkedIn: www.linkedin.com/company/ellerhold-gruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold



---
Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier: https://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.

You can find our privacy policy here: https://www.ellerhold.de/datenschutz/

More information about the samba mailing list