Generating Keytabs: Difference between revisions
m (/ correct grammar and who the principal should be) |
m (/* fix my error) |
||
| Line 10: | Line 10: | ||
Once the SPN is added, you can then generate a keytab for the user with samba-tool, by running the following: |
Once the SPN is added, you can then generate a keytab for the user with samba-tool, by running the following: |
||
samba-tool domain exportkeytab <name>.keytab --principal=<sAMAccount name> |
samba-tool domain exportkeytab <name>.keytab --principal=[<sAMAccount name> | <SPN>] |
||
This should then produce a keytab |
This should then produce a keytab called <name>.keytab containing the users upn or the spn, depending on which is given with '--principal' and this can then be copied to your target machine or service. |
||
'''Note:''' replace <sAMAccount name> with a valid user name and <name> with whatever you what the keytab to be called |
'''Note:''' replace <sAMAccount name> with a valid user name, <SPN> with the spn you added earlier and <name> with whatever you what the keytab to be called, this can also include a path to where you want the keytab to be created. |
||
You should only use <sAMAccount name> or <SPN>, you should not use both. |
|||
Revision as of 17:41, 14 September 2016
Active directory requires Kerberos service principal names to be mapped to a user account before a keytab can be generated.
You can add SPN names to a user with samba-tool, this is provided with your samba 4 installation.
samba-tool spn add host/fdqn@KerberosRealm <sAMAccount name>
This should return without error.
Once the SPN is added, you can then generate a keytab for the user with samba-tool, by running the following:
samba-tool domain exportkeytab <name>.keytab --principal=[<sAMAccount name> | <SPN>]
This should then produce a keytab called <name>.keytab containing the users upn or the spn, depending on which is given with '--principal' and this can then be copied to your target machine or service.
Note: replace <sAMAccount name> with a valid user name, <SPN> with the spn you added earlier and <name> with whatever you what the keytab to be called, this can also include a path to where you want the keytab to be created. You should only use <sAMAccount name> or <SPN>, you should not use both.