thr3ads.net - samba - [Samba] Asking help exporing a valid keytab file for cups http [Jun 2025]

If this information is useful, please help other people find it:
Share via:

Thorsten Otto

2025-Jun-19 17:11 UTC

[Samba] Asking help exporing a valid keytab file for cups http

Thank you so much for your answer.

Am Donnerstag, dem 19.06.2025 um 17:19 +0100 schrieb Rowland Penny via
samba:> On Thu, 19 Jun 2025 16:34:33 +0200
> Thorsten Otto via samba <samba at lists.samba.org> wrote:
> 
> > Hello everyone,
> > 
> > I spent days on creating a valid keytab file for a cups server
> > without
> > success and I'd kindly ask for help.
> > 
> > The cups server is running on a host named cupsserver which is a
> > domain member in a samba 4 ad domain called domain.tld.
> > Everything is running on Debian 12 Bookworm. Samba is using heimdal
> > kerberos with realm DOMAIN.TLD
> 
> Have you tried Samba from bookworm backports ?
Yes, I did. Additionally I made fresh apt full-upgrade -t bookworm-
backports and rebooted right now.> 
> > 
> > On the primary domain controller I do:
> 
> A bit nit-picking here, but you do not have a primary DC, all DCs are
> equal , it is just that one has the PDC_emulator FSMO role.
> 
> > 
> > root at dc:~# samba-tool spn add HTTP/cupsserver.domain.tld at
DOMAIN.TLD
> > cupsserver$
> > root at dc:~# samba-tool spn list cupsserver$
> > cupsserver$
> > User
> > CN=CUPSSERVER,OU=Dateiserver,OU=Linux,OU=Rechner,DC=domain,DC=tld
> > has the following servicePrincipalName: 
> > 	 HOST/CUPSSERVER
> > 	 HOST/cupsserver.domain.tld
> > 	 HTTP/cupsserver.domain.tld at DOMAIN.TLD
> 
> That is another mistake, 'HOST' is a placeholder for other services
> (amongst which is 'HTTP'), you can see the entire list with:
I did not create the HOST entries. They must have been put there by
samba or another service.> 
> sudo ldbsearch --cross-ncs --show-binary -H
> /var/lib/samba/private/sam.ldb -P -b 'dc=samdom,dc=example,dc=com'
-s
> sub '(sPNMappings=*)' sPNMappings
> 
> Which should produced something like this:
> # record 1
> dn: CN=Directory Service,CN=Windows
> NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com
> sPNMappings:
> host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicator,e
> ventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserv
> er,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,pr
> otectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,sc
> ardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,tr
> ksvr,trkwks,ups,time,wins,www,http,w3svc,iisadmin,msdtc
> 
> I hope you can see from that, you should be able to use the servers
> host key.
> Rowland
> 
I get the same output for the mappings. But I don't reallly understand
how I could use that for the http authentication. I did tried these
steps and got the same error as before

root at dc:~# samba-tool domain exportkeytab test.keytab --
principal=HOST/cupsserver.domain.tld
Export one principal to test.keytab
root at dc:~# samba-tool domain exportkeytab test.keytab --
principal=HOST/CUPSSERVER
Export one principal to test.keytab
root at dc:~# ktutil -k test.keytab list
test.keytab:

Vno  Type                     Principal                            
Aliases
228  aes256-cts-hmac-sha1-96  HOST/cupsserver.domain.tld at DOMAIN.TLD  
228  aes128-cts-hmac-sha1-96  HOST/cupsserver.domain.tld at DOMAIN.TLD  
228  arcfour-hmac-md5         HOST/cupsserver.domain.tld at DOMAIN.TLD  
227  aes256-cts-hmac-sha1-96  HOST/cupsserver.domain.tld at DOMAIN.TLD  
227  aes128-cts-hmac-sha1-96  HOST/cupsserver.domain.tld at DOMAIN.TLD  
226  aes256-cts-hmac-sha1-96  HOST/cupsserver.domain.tld at DOMAIN.TLD  
226  aes128-cts-hmac-sha1-96  HOST/cupsserver.domain.tld at DOMAIN.TLD  
228  aes256-cts-hmac-sha1-96  HOST/CUPSSERVER at DOMAIN.TLD               
228  aes128-cts-hmac-sha1-96  HOST/CUPSSERVER at DOMAIN.TLD               
228  arcfour-hmac-md5         HOST/CUPSSERVER at DOMAIN.TLD               
227  aes256-cts-hmac-sha1-96  HOST/CUPSSERVER at DOMAIN.TLD               
227  aes128-cts-hmac-sha1-96  HOST/CUPSSERVER at DOMAIN.TLD               
226  aes256-cts-hmac-sha1-96  HOST/CUPSSERVER at DOMAIN.TLD               
226  aes128-cts-hmac-sha1-96  HOST/CUPSSERVER at DOMAIN.TLD               
root at dc:~# kinit -k -t test.keytab HTTP/cupsserver.domain.tld
kinit: krb5_init_creds_set_keytab: Failed to find
HTTP/cupsserver.domain.tld at DOMAIN.TLD in keytab FILE:test.keytab
(unknown enctype)
root at dc:~# kinit -k -t test.keytab HOST/cupsserver.domain.tld
kinit: krb5_get_init_creds: Client
(HOST/cupsserver.domain.tld at DOMAIN.TLD) unknown
root at dc:~# kinit -k -t test.keytab HOST/CUPSSERVER
kinit: krb5_get_init_creds: Client (HOST/CUPSSERVER at DOMAIN.TLD) unknown
root at dc:~# kinit -k -t test.keytab
HTTP/cupsserver.domain.tld at DOMAIN.TLD
kinit: krb5_init_creds_set_keytab: Failed to find
HTTP/cupsserver.domain.tld at DOMAIN.TLD in keytab FILE:test.keytab
(unknown enctype)
root at dc:~# kinit -k -t test.keytab
HOST/cupsserver.domain.tld at DOMAIN.TLD
kinit: krb5_get_init_creds: Client
(HOST/cupsserver.domain.tld at DOMAIN.TLD) unknown
root at dc:~# kinit -k -t test.keytab HOST/CUPSSERVER at DOMAIN.TLD
kinit: krb5_get_init_creds: Client (HOST/CUPSSERVER at DOMAIN.TLD) unknown

Rowland Penny

2025-Jun-19 18:07 UTC

head link

[Samba] Asking help exporing a valid keytab file for cups http

On Thu, 19 Jun 2025 19:11:45 +0200
Thorsten Otto via samba <samba at lists.samba.org> wrote:
> Thank you so much for your answer.
> 
> Am Donnerstag, dem 19.06.2025 um 17:19 +0100 schrieb Rowland Penny via
> samba:
> > On Thu, 19 Jun 2025 16:34:33 +0200
> > Thorsten Otto via samba <samba at lists.samba.org> wrote:
> > 
 > > > > 
> > > root at dc:~# samba-tool spn add
> > > HTTP/cupsserver.domain.tld at DOMAIN.TLD cupsserver$
> > > root at dc:~# samba-tool spn list cupsserver$
> > > cupsserver$
> > > User
> > > CN=CUPSSERVER,OU=Dateiserver,OU=Linux,OU=Rechner,DC=domain,DC=tld
> > > has the following servicePrincipalName: 
> > > 	 HOST/CUPSSERVER
> > > 	 HOST/cupsserver.domain.tld
> > > 	 HTTP/cupsserver.domain.tld at DOMAIN.TLD
> > 
> > That is another mistake, 'HOST' is a placeholder for other
services
> > (amongst which is 'HTTP'), you can see the entire list with:
> 
> I did not create the HOST entries. They must have been put there by
> samba or another service.
I wasn't referring to the 'HOST' part, I was referring to the
'HTTP'
part, you do not need it.
> > 
> > sudo ldbsearch --cross-ncs --show-binary -H
> > /var/lib/samba/private/sam.ldb -P -b
'dc=samdom,dc=example,dc=com'
> > -s sub '(sPNMappings=*)' sPNMappings
If you replace the '-P' above with '--use-kerberos', it still
works,
but using kerberos.
> > 
> > Which should produced something like this:
> > # record 1
> > dn: CN=Directory Service,CN=Windows
> > NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com
> > sPNMappings:
> > host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicator,e
> > ventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserv
> > er,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,pr
> > otectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,sc
> > ardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,tr
> > ksvr,trkwks,ups,time,wins,www,http,w3svc,iisadmin,msdtc
> > 
> > I hope you can see from that, you should be able to use the servers
> > host key.
> 
> > Rowland
> > 
> 
> I get the same output for the mappings. But I don't reallly understand
> how I could use that for the http authentication. I did tried these
> steps and got the same error as before
What I am saying is, you should not need the 'HTTP' SPN, because the
standard 'HOST' SPN should cover it.

Rowland

samba - Jun 2025 - Asking help exporing a valid keytab file for cups http

[Samba] Asking help exporing a valid keytab file for cups http

[Samba] Asking help exporing a valid keytab file for cups http