Generating Keytabs
Active directory requires Kerberos service principal names to be mapped to a user account before a keytab can be generated.
You can add SPN names to a user with samba-tool, this is provided with your samba 4 installation.
samba-tool spn add host/fdqn@KerberosRealm <sAMAccount name>
This should return without error.
Once the SPN is added, you can then generate a keytab for the user with samba-tool, by running the following:
samba-tool domain exportkeytab <name>.keytab --principal=[<sAMAccount name> | <SPN>]
This should then produce a keytab called <name>.keytab containing the users upn or the spn, depending on which is given with '--principal' and this can then be copied to your target machine or service.
Note: replace <sAMAccount name> with a valid user name, <SPN> with the spn you added earlier and <name> with whatever you what the keytab to be called, this can also include a path to where you want the keytab to be created. You should only use <sAMAccount name> or <SPN>, you should not use both.