Generating Keytabs: Difference between revisions

From SambaWiki
No edit summary
m (/ correct grammar and who the principal should be)
Line 1: Line 1:
Active directory requires kerberos service principle names to be mapped to a user account before a keytab can be generated.
Active directory requires Kerberos service principal names to be mapped to a user account before a keytab can be generated.


you can add spn names using the samba-tool provided with your samba 4 installation.
You can add SPN names to a user with samba-tool, this is provided with your samba 4 installation.


samba-tool spn add host/fdqn@KerberosRealm sAMAccount
samba-tool spn add host/fdqn@KerberosRealm <sAMAccount name>


this should return without error.
This should return without error.




to then generate a keytab for that principle again using the samba-tool run the following
Once the SPN is added, you can then generate a keytab for the user with samba-tool, by running the following:


samba-tool domain exportkeytab name.keytab --principal=host/fdqn@KerberosRealm
samba-tool domain exportkeytab <name>.keytab --principal=<sAMAccount name>


this should then produce the keytab for the principle that you have exported and this can then be copied to your target machine or service.
This should then produce a keytab for the principal <sAMAccount name> and this can then be copied to your target machine or service.

'''Note:''' replace <sAMAccount name> with a valid user name and <name> with whatever you what the keytab to be called. This can also include a path to where you want the keytab to be created.

Revision as of 15:54, 14 September 2016

Active directory requires Kerberos service principal names to be mapped to a user account before a keytab can be generated.

You can add SPN names to a user with samba-tool, this is provided with your samba 4 installation. 

samba-tool spn add host/fdqn@KerberosRealm <sAMAccount name>

This should return without error.


Once the SPN is added, you can then generate a keytab for the user with samba-tool, by running the following: 

samba-tool domain exportkeytab  <name>.keytab  --principal=<sAMAccount name>

This should then produce a keytab for the principal <sAMAccount name> and this can then be copied to your target machine or service.

Note: replace <sAMAccount name> with a valid user name and <name> with whatever you what the keytab to be called. This can also include a path to where you want the keytab to be created.

Retrieved from "https://wiki.samba.org/index.php?title=Generating_Keytabs&oldid=11907"