Web lists-archives.com

Re: [Samba] Export keytab for SPN




Hi all,

It was necessary to add another spn without Kerberos realm:

samba-tool spn add HTTP/srv1.ad.brotel.cz svc_confluence_sso

and then the export worked:
samba-tool domain exportkeytab  srv1.ad.brotel.cz.keytab  --principal=HTTP/
srv1.ad.brotel.cz@xxxxxxxxxxxx

Here is the information source that pointed me to the right direction:
https://lists.samba.org/archive/samba/2016-February/197893.html

Can somebody explain me, why the original SPN created by command:
samba-tool spn add HTTP/srv1.ad.brotel.cz@xxxxxxxxxxxx svc_confluence_sso
wasn't enough?

Best regards

Michal


2018-08-08 8:40 GMT+02:00 Michal Sládek <michal@xxxxxxxxxxx>:

> Hello,
>
> I am trying to export keytab by following this guide:
>
> https://wiki.samba.org/index.php/Generating_Keytabs
>
> OS: CentOS 7.5
> Samba: samba-dc-4.7.6-0.el7.centos.x86_64 (from Tranquil repo)
>
> Everything seems to work, but keytab is not exported (keytab file is not
> created).
>
> [root@ads1 /]# net ads enctypes list svc_confluence_sso
> 'svc_confluence_sso' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
> [X] 0x00000001 DES-CBC-CRC
> [X] 0x00000002 DES-CBC-MD5
> [X] 0x00000004 RC4-HMAC
> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>
> [root@ads1 /]# samba-tool spn list svc_confluence_sso
> svc_confluence_sso
> User CN=SSO Confluence,CN=Users,DC=ad,DC=brotel,DC=cz has the following
> servicePrincipalName:
>          HTTP/srv1.ad.brotel.cz@xxxxxxxxxxxx
>
> [root@ads1 /]# samba-tool domain exportkeytab test.keytab
> --principal=HTTP/srv1.ad.brotel.cz@xxxxxxxxxxxx
> Export one principal to test.keytab
>
> [root@ads1 /]# ls *.keytab
> ls: cannot access *.keytab: No such file or directory
>
> Exporting keytab for user svc_confluence_sso works.
>
> Do you have any suggestions?
>
> Best regards
>
> Michal
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba