Generating Keytabs

Revision as of 11:15, 5 February 2014 by Damien.dye (talk | contribs)

Active directory requires kerberos service principle names to be mapped to a user account before a keytab can be generated.

you can add spn names using the samba-tool provided with your samba 4 installation.

samba-tool spn add host/fdqn@KerberosRealm sAMAccount 

this should return without error.


to then generate a keytab for that principle again using the samba-tool run the following

samba-tool domain exportkeytab  name.keytab  --principal=host/fdqn@KerberosRealm

this should then produce the keytab for the principle that you have exported and this can then be copied to your target machine or service.