Generating Keytabs

Revision as of 11:14, 5 February 2014 by Damien.dye (talk | contribs)

Active directory requires kerberos service principle names to be mapped to a user account before a keytab can be generated.

you can add spn names using the samba-tool provided with your samba 4 installation.

samba-tool spn add host/fdqn@KerberosRealm sAMAccount

this should return without error.


to then generate a keytab for that principle again using the samba-tool run the following

samba-tool domain exportkeytab name.keytab --principal=host/fdqn@KerberosRealm

this should then produce the keytab for the principle that you have exported and this can then be copied to your target machine or service.