Generating Keytabs: Difference between revisions

From SambaWiki
No edit summary
No edit summary
Line 1: Line 1:

Active directory requires kerberos service principle names to be mapped to a user account before a keytab can be generated.
Active directory requires kerberos service principle names to be mapped to a user account before a keytab can be generated.


you can add spn names using the samba-tool provided with your samba 4 installation.
you can add spn names using the samba-tool provided with your samba 4 installation.


samba-tool spn add host/fdqn@KerberosRealm sAMAccount
samba-tool spn add host/fdqn@KerberosRealm sAMAccount


this should return without error.
this should return without error.
Line 11: Line 10:
to then generate a keytab for that principle again using the samba-tool run the following
to then generate a keytab for that principle again using the samba-tool run the following


samba-tool domain exportkeytab name.keytab --principal=host/fdqn@KerberosRealm
samba-tool domain exportkeytab name.keytab --principal=host/fdqn@KerberosRealm


this should then produce the keytab for the principle that you have exported and this can then be copied to your target machine or service.
this should then produce the keytab for the principle that you have exported and this can then be copied to your target machine or service.

Revision as of 11:15, 5 February 2014

Active directory requires kerberos service principle names to be mapped to a user account before a keytab can be generated.

you can add spn names using the samba-tool provided with your samba 4 installation.

samba-tool spn add host/fdqn@KerberosRealm sAMAccount 

this should return without error.


to then generate a keytab for that principle again using the samba-tool run the following

samba-tool domain exportkeytab  name.keytab  --principal=host/fdqn@KerberosRealm

this should then produce the keytab for the principle that you have exported and this can then be copied to your target machine or service.