Difference between revisions of "Generating Keytabs"
From SambaWiki
Damien.dye (talk | contribs) |
m (/ correct grammar and who the principal should be) |
||
| Line 1: | Line 1: | ||
| − | Active directory requires |
+ | Active directory requires Kerberos service principal names to be mapped to a user account before a keytab can be generated. |
| − | + | You can add SPN names to a user with samba-tool, this is provided with your samba 4 installation. |
|
| − | samba-tool spn add host/fdqn@KerberosRealm sAMAccount |
+ | samba-tool spn add host/fdqn@KerberosRealm <sAMAccount name> |
| − | + | This should return without error. |
|
| − | + | Once the SPN is added, you can then generate a keytab for the user with samba-tool, by running the following: |
|
| − | samba-tool domain exportkeytab name.keytab --principal= |
+ | samba-tool domain exportkeytab <name>.keytab --principal=<sAMAccount name> |
| − | + | This should then produce a keytab for the principal <sAMAccount name> and this can then be copied to your target machine or service. |
|
| + | |||
| + | '''Note:''' replace <sAMAccount name> with a valid user name and <name> with whatever you what the keytab to be called. This can also include a path to where you want the keytab to be created. |
||
Revision as of 15:54, 14 September 2016
Active directory requires Kerberos service principal names to be mapped to a user account before a keytab can be generated.
You can add SPN names to a user with samba-tool, this is provided with your samba 4 installation.
samba-tool spn add host/fdqn@KerberosRealm <sAMAccount name>
This should return without error.
Once the SPN is added, you can then generate a keytab for the user with samba-tool, by running the following:
samba-tool domain exportkeytab <name>.keytab --principal=<sAMAccount name>
This should then produce a keytab for the principal <sAMAccount name> and this can then be copied to your target machine or service.
Note: replace <sAMAccount name> with a valid user name and <name> with whatever you what the keytab to be called. This can also include a path to where you want the keytab to be created.