samba - Jun 2025 - Asking help exporing a valid keytab file for cups http

Hello everyone,

I spent days on creating a valid keytab file for a cups server without
success and I'd kindly ask for help.

The cups server is running on a host named cupsserver which is a domain
member in a samba 4 ad domain called domain.tld.
Everything is running on Debian 12 Bookworm. Samba is using heimdal
kerberos with realm DOMAIN.TLD

On the primary domain controller I do:

root at dc:~# samba-tool spn add HTTP/cupsserver.domain.tld at DOMAIN.TLD
cupsserver$
root at dc:~# samba-tool spn list cupsserver$
cupsserver$
User CN=CUPSSERVER,OU=Dateiserver,OU=Linux,OU=Rechner,DC=domain,DC=tld
has the following servicePrincipalName: 
	 HOST/CUPSSERVER
	 HOST/cupsserver.domain.tld
	 HTTP/cupsserver.domain.tld at DOMAIN.TLD
root at dc:~# samba-tool domain exportkeytab test.keytab --
principal=HTTP/cupsserver.domain.tld
Export one principal to test.keytab
root at dc:~# ktutil -k test.keytab list
test.keytab:

Vno  Type                     Principal                            
Aliases
228  aes256-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD  
228  aes128-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD  
228  arcfour-hmac-md5         HTTP/cupsserver.domain.tld at DOMAIN.TLD  
227  aes256-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD  
227  aes128-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD  
226  aes256-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD  
226  aes128-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD  
root at dc:~# kinit -k -t test.keytab
HTTP/cupsserver.domain.tld at DOMAIN.TLD
kinit: krb5_get_init_creds: Client
(HTTP/cupsserver.domain.tld at DOMAIN.TLD) unknown
root at dc:~# 

That's pretty much what I achieved. I tried the same without adding the
realm at the end of the principal name, like it is in many examples
over the web, but that doesnt change anything.

I checked dns, service records, changing the enctypes and much more but
the last answer is always "client unknown" The system, one pdc and 10
additional dcs, one for each site of the company, has been working well
and stable for years now.

I'd be really glad about any hint you could give me.

Thanks in advance
Thorsten

On Thu, 19 Jun 2025 16:34:33 +0200
Thorsten Otto via samba <samba at lists.samba.org> wrote:
> Hello everyone,
> 
> I spent days on creating a valid keytab file for a cups server without
> success and I'd kindly ask for help.
> 
> The cups server is running on a host named cupsserver which is a
> domain member in a samba 4 ad domain called domain.tld.
> Everything is running on Debian 12 Bookworm. Samba is using heimdal
> kerberos with realm DOMAIN.TLD
Have you tried Samba from bookworm backports ?
> 
> On the primary domain controller I do:
A bit nit-picking here, but you do not have a primary DC, all DCs are
equal , it is just that one has the PDC_emulator FSMO role.
> 
> root at dc:~# samba-tool spn add HTTP/cupsserver.domain.tld at DOMAIN.TLD
> cupsserver$
> root at dc:~# samba-tool spn list cupsserver$
> cupsserver$
> User CN=CUPSSERVER,OU=Dateiserver,OU=Linux,OU=Rechner,DC=domain,DC=tld
> has the following servicePrincipalName: 
> 	 HOST/CUPSSERVER
> 	 HOST/cupsserver.domain.tld
> 	 HTTP/cupsserver.domain.tld at DOMAIN.TLD
That is another mistake, 'HOST' is a placeholder for other services
(amongst which is 'HTTP'), you can see the entire list with:

sudo ldbsearch --cross-ncs --show-binary -H
/var/lib/samba/private/sam.ldb -P -b 'dc=samdom,dc=example,dc=com' -s
sub '(sPNMappings=*)' sPNMappings

Which should produced something like this:
# record 1
dn: CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com
sPNMappings:
host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicator,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc,iisadmin,msdtc

I hope you can see from that, you should be able to use the servers
host key.

Rowland

Op 19-06-2025 om 16:34 schreef Thorsten Otto via samba:
> Hello everyone,
>
> I spent days on creating a valid keytab file for a cups server without
> success and I'd kindly ask for help.
>
> The cups server is running on a host named cupsserver which is a domain
> member in a samba 4 ad domain called domain.tld.
> Everything is running on Debian 12 Bookworm. Samba is using heimdal
> kerberos with realm DOMAIN.TLD
>
> On the primary domain controller I do:
>
> root at dc:~# samba-tool spn add HTTP/cupsserver.domain.tld at DOMAIN.TLD
> cupsserver$
> root at dc:~# samba-tool spn list cupsserver$
> cupsserver$
> User CN=CUPSSERVER,OU=Dateiserver,OU=Linux,OU=Rechner,DC=domain,DC=tld
> has the following servicePrincipalName:
> 	 HOST/CUPSSERVER
> 	 HOST/cupsserver.domain.tld
> 	 HTTP/cupsserver.domain.tld at DOMAIN.TLD
> root at dc:~# samba-tool domain exportkeytab test.keytab --
> principal=HTTP/cupsserver.domain.tld
> Export one principal to test.keytab
> root at dc:~# ktutil -k test.keytab list
> test.keytab:
>
> Vno  Type                     Principal
> Aliases
> 228  aes256-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD
> 228  aes128-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD
> 228  arcfour-hmac-md5         HTTP/cupsserver.domain.tld at DOMAIN.TLD
> 227  aes256-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD
> 227  aes128-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD
> 226  aes256-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD
> 226  aes128-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD
> root at dc:~# kinit -k -t test.keytab
> HTTP/cupsserver.domain.tld at DOMAIN.TLD
> kinit: krb5_get_init_creds: Client
> (HTTP/cupsserver.domain.tld at DOMAIN.TLD) unknown
> root at dc:~#
>
> That's pretty much what I achieved. I tried the same without adding the
> realm at the end of the principal name, like it is in many examples
> over the web, but that doesnt change anything.
>
> I checked dns, service records, changing the enctypes and much more but
> the last answer is always "client unknown" The system, one pdc
and 10
> additional dcs, one for each site of the company, has been working well
> and stable for years now.
>
> I'd be really glad about any hint you could give me.
Hi Thorsten,


You are pretty far in the right direction.

You correctly put an SPN on the machine account, which is what cups will 
use. However, if you create an SPN it assumes the default port (for http 
that is 443). If your cups service listens to 631, which I assume, you 
have to put that in the SPN, i.e. 
"HTTP/cupsserver.domain.tld:631 at DOMAIN.TLD"


- Kees,

>
> Thanks in advance
> Thorsten
>