I found several howtos even on official Samba resources, which use kadmin to obtain keytabs. There's also a patch to implement this interface dating back about 10 years. However, my DC seems to reject connections: root at my_ad_dc:/# kadmin kadmin> list * kadmin: connect(my_ad_dc.domain.example.com): Connection refused kadmin: failed to contact my_ad_dc.domain.example.com kadmin: kadm5_get_principals: Operation failed for unspecified reason kadmin> Interestingly the error description is different when using MIT from remote: root at a_client:~# kadmin -p Administrator Authenticating as principal Administrator with password. kadmin: Database error! Required KADM5 principal missing while initializing kadmin interface Is it required to enable this interface by some option? At least the string kadmin does not appear in man smb.conf. Could you share any experiences?