Difference between revisions of "Generating Keytabs"

Line 1: Line 1:
 
 
Active directory requires kerberos service principle names to be mapped to a user account before a keytab can be generated.
 
Active directory requires kerberos service principle names to be mapped to a user account before a keytab can be generated.
  
 
you can add spn names using the samba-tool provided with your samba 4 installation.
 
you can add spn names using the samba-tool provided with your samba 4 installation.
  
samba-tool spn add host/fdqn@KerberosRealm sAMAccount  
+
samba-tool spn add host/fdqn@KerberosRealm sAMAccount  
  
 
this should return without error.
 
this should return without error.
Line 11: Line 10:
 
to then generate a keytab for that principle again using the samba-tool run the following
 
to then generate a keytab for that principle again using the samba-tool run the following
  
samba-tool domain exportkeytab  name.keytab  --principal=host/fdqn@KerberosRealm
+
samba-tool domain exportkeytab  name.keytab  --principal=host/fdqn@KerberosRealm
  
 
this should then produce the keytab for the principle that you have exported and this can then be copied to your target machine or service.
 
this should then produce the keytab for the principle that you have exported and this can then be copied to your target machine or service.

Revision as of 11:15, 5 February 2014

Active directory requires kerberos service principle names to be mapped to a user account before a keytab can be generated.

you can add spn names using the samba-tool provided with your samba 4 installation.

samba-tool spn add host/fdqn@KerberosRealm sAMAccount 

this should return without error.


to then generate a keytab for that principle again using the samba-tool run the following

samba-tool domain exportkeytab  name.keytab  --principal=host/fdqn@KerberosRealm

this should then produce the keytab for the principle that you have exported and this can then be copied to your target machine or service.