Hi all,
It was necessary to add another spn without Kerberos realm:
samba-tool spn add HTTP/srv1.ad.brotel.cz svc_confluence_sso
and then the export worked:
samba-tool domain exportkeytab srv1.ad.brotel.cz.keytab --principal=HTTP/
srv1.ad.brotel.cz at AD.BROTEL.CZ
Here is the information source that pointed me to the right direction:
https://lists.samba.org/archive/samba/2016-February/197893.html
Can somebody explain me, why the original SPN created by command:
samba-tool spn add HTTP/srv1.ad.brotel.cz at AD.BROTEL.CZ svc_confluence_sso
wasn't enough?
Best regards
Michal
2018-08-08 8:40 GMT+02:00 Michal Sládek <michal at sladkovi.eu>:
> Hello,
>
> I am trying to export keytab by following this guide:
>
> https://wiki.samba.org/index.php/Generating_Keytabs
>
> OS: CentOS 7.5
> Samba: samba-dc-4.7.6-0.el7.centos.x86_64 (from Tranquil repo)
>
> Everything seems to work, but keytab is not exported (keytab file is not
> created).
>
> [root at ads1 /]# net ads enctypes list svc_confluence_sso
> 'svc_confluence_sso' uses
"msDS-SupportedEncryptionTypes": 31 (0x0000001f)
> [X] 0x00000001 DES-CBC-CRC
> [X] 0x00000002 DES-CBC-MD5
> [X] 0x00000004 RC4-HMAC
> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
>
> [root at ads1 /]# samba-tool spn list svc_confluence_sso
> svc_confluence_sso
> User CN=SSO Confluence,CN=Users,DC=ad,DC=brotel,DC=cz has the following
> servicePrincipalName:
> HTTP/srv1.ad.brotel.cz at AD.BROTEL.CZ
>
> [root at ads1 /]# samba-tool domain exportkeytab test.keytab
> --principal=HTTP/srv1.ad.brotel.cz at AD.BROTEL.CZ
> Export one principal to test.keytab
>
> [root at ads1 /]# ls *.keytab
> ls: cannot access *.keytab: No such file or directory
>
> Exporting keytab for user svc_confluence_sso works.
>
> Do you have any suggestions?
>
> Best regards
>
> Michal
>