Generating Keytabs

From SambaWiki
Revision as of 15:54, 14 September 2016 by Hortimech (talk | contribs) (/ correct grammar and who the principal should be)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Active directory requires Kerberos service principal names to be mapped to a user account before a keytab can be generated.

You can add SPN names to a user with samba-tool, this is provided with your samba 4 installation. 

samba-tool spn add host/fdqn@KerberosRealm <sAMAccount name>

This should return without error.


Once the SPN is added, you can then generate a keytab for the user with samba-tool, by running the following: 

samba-tool domain exportkeytab  <name>.keytab  --principal=<sAMAccount name>

This should then produce a keytab for the principal <sAMAccount name> and this can then be copied to your target machine or service.

Note: replace <sAMAccount name> with a valid user name and <name> with whatever you what the keytab to be called. This can also include a path to where you want the keytab to be created.

Retrieved from "https://wiki.samba.org/index.php?title=Generating_Keytabs&oldid=11907"