Generating Keytabs

From SambaWiki
Revision as of 17:41, 14 September 2016 by Hortimech (talk | contribs) (/* fix my error)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Active directory requires Kerberos service principal names to be mapped to a user account before a keytab can be generated.

You can add SPN names to a user with samba-tool, this is provided with your samba 4 installation. 

samba-tool spn add host/fdqn@KerberosRealm <sAMAccount name>

This should return without error.


Once the SPN is added, you can then generate a keytab for the user with samba-tool, by running the following: 

samba-tool domain exportkeytab  <name>.keytab  --principal=[<sAMAccount name> | <SPN>]

This should then produce a keytab called <name>.keytab containing the users upn or the spn, depending on which is given with '--principal' and this can then be copied to your target machine or service.

Note: replace <sAMAccount name> with a valid user name, <SPN> with the spn you added earlier and <name> with whatever you what the keytab to be called, this can also include a path to where you want the keytab to be created. You should only use <sAMAccount name> or <SPN>, you should not use both.

Retrieved from "https://wiki.samba.org/index.php?title=Generating_Keytabs&oldid=11908"