Tim Vangehugten
2013-Apr-29 16:52 UTC
[Samba] ktpass.sh error / How to generate a keytab for a new service (apache) with SAMBA4?
Hi, I was trying to get a new keytab in samba4 for my apache service. So I tried the following command: sh ktpass.sh --out /etc/apache.keytab --princ HTTP/myhost.samba.my.domain at SAMBA.MY.DOMAIN --pass VerySecure123 --enc des-cbc-md5 I get the following error: Unable to find kvno for principal HTTP/myhost.samba.my.domain at SAMBA.MY.DOMAIN Am I doing something wron or shouldn't I be using ktpass.sh? Best Regards Tim Vangehugten
Marc Muehlfeld
2013-Apr-29 20:40 UTC
[Samba] ktpass.sh error / How to generate a keytab for a new service (apache) with SAMBA4?
Hello Tim, Am 29.04.2013 18:52, schrieb Tim Vangehugten:> I was trying to get a new keytab in samba4 for my apache service. So I > tried the following command: > > sh ktpass.sh --out /etc/apache.keytab --princ > HTTP/myhost.samba.my.domain at SAMBA.MY.DOMAIN --pass VerySecure123 --enc > des-cbc-md5 > > I get the following error: Unable to find kvno for principal > HTTP/myhost.samba.my.domain at SAMBA.MY.DOMAIN > > Am I doing something wron or shouldn't I be using ktpass.sh?Maybe you find here something helpfull: https://wiki.samba.org/index.php/Samba4/beyond#Apache_Single_Sign-On Regards, Marc
Matthieu Patou
2013-Apr-30 04:31 UTC
[Samba] ktpass.sh error / How to generate a keytab for a new service (apache) with SAMBA4?
On 04/29/2013 09:52 AM, Tim Vangehugten wrote:> Hi, > > I was trying to get a new keytab in samba4 for my apache service. So I > tried the following command: > > sh ktpass.sh --out /etc/apache.keytab --princ > HTTP/myhost.samba.my.domain at SAMBA.MY.DOMAIN --pass VerySecure123 --enc > des-cbc-md5 > > I get the following error: Unable to find kvno for principal > HTTP/myhost.samba.my.domain at SAMBA.MY.DOMAINCan you do a search like this: ldbsearch -H ldap://<ip_of_you_dc> '(serviceprincipalname=HTTP/myhost.samba.my.domain)' servicePrincipalName -U <user> I'm suspecting that the SPN is not existing yet. Matthieu. -- Matthieu Patou Samba Team http://samba.org
Giedrius
2013-May-30 17:32 UTC
[Samba] ktpass.sh error / How to generate a keytab for a new service (apache) with SAMBA4?
Hi,
had the same error trying to re-setup DNS keytab.
In my setup kvno was indeed existing, not seen by ktpass.sh
The problem:
1) ldbsearch -k 1 does not work with ldap://localhost or
ldap://IP you *must*** use hostname of the machine
2) ldbsearch (at least in my setup) does not exists,
where ktpass.sh is trying to find it.... and ktpass.sh *does not
complain about it*
Try passing: --path-to-ldbsearch <directory_of_ldbsearch>
Or alternatively, apply attached path to your samba source tree (ne
recompile needed)
You can verify if you have this principal by: samba-tool spn list
<your user that should have this principal>
2013.04.29 19:52, Tim Vangehugten ra??:> Hi,
>
> I was trying to get a new keytab in samba4 for my apache service. So I
> tried the following command:
>
> sh ktpass.sh --out /etc/apache.keytab --princ
> HTTP/myhost.samba.my.domain at SAMBA.MY.DOMAIN --pass VerySecure123 --enc
> des-cbc-md5
>
> I get the following error: Unable to find kvno for principal
> HTTP/myhost.samba.my.domain at SAMBA.MY.DOMAIN
>
> Am I doing something wron or shouldn't I be using ktpass.sh?
>
>
> Best Regards
> Tim Vangehugten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ktpass.patch
Type: text/x-patch
Size: 961 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20130530/efca2f30/attachment.bin>
Apparently Analagous Threads
- how to run ktpass with a Samba AD DC?
- Extracting the trust account password (for use with Win2k's ktpass)?
- Kerberos Principal
- Looking for GSSAPI config [was: Looking for NTLM config example]
- samba 3, ADS, kerberos, keytab problem - Additional pre-authentication required