Rowland Penny
2025-Jun-20 08:21 UTC
[Samba] Asking help exporing a valid keytab file for cups http
On Fri, 20 Jun 2025 05:52:36 +0200 Thorsten Otto via samba <samba at lists.samba.org> wrote:> Hello and thanks again for your answer. > > But shouldn't the "kinit" with the exported keytab work also if I > don't need it? > > And how can I use the HOST principal for cups if the keytab isn't > working? > > Thorsten > >I normally do not use a computer keytab on Linux, so just naively believed it would work, it doesn't :-( What does work, you can export a keytab with the 'http' SPN prefix without there actually being any such SPN in AD, provided there is a SPN that starts with 'host'. If you try to use the keytab, you get this: kinit: Client 'host/devstation.samdom.example.com at SAMDOM.EXAMPLE.COM' not found in Kerberos database while getting initial credentials When there is quite obviously a servicePrincipalName attribute containing that in AD. I stared at the computers object for quite sometime until it hit me, while 'devstation' had a few SPNs, it didn't have a userPrincipalName attribute, so adding: userPrincipalName: host/devstation.samdom.example.com at SAMDOM.EXAMPLE.COM Lead to a successful kinit, which lead to this: rowland at devstation:~$ sudo klist Ticket cache: FILE:/tmp/krb5cc_11104 Default principal: host/devstation.samdom.example.com at SAMDOM.EXAMPLE.COM Valid starting Expires Service principal 20/06/25 09:07:17 20/06/25 19:07:17 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM renew until 21/06/25 09:07:17 Hope this helps. Rowland
Thorsten Otto
2025-Jun-20 10:57 UTC
[Samba] Asking help exporing a valid keytab file for cups http
Hi Rowland, thanks again for your support. With your hints I seemingly got a bit further. But probably I am lacking to many basics. I added the userPrincipalName via samba-tool computer edit cupsserver$ I tried four variations (one after the other, not at once): userPrincipalName: host/cupsserver.domain.tld userPrincipalName: host/cupsserver.domain.tld at DOMAIN.TLD userPrincipalName: HOST/cupsserver.domain.tld userPrincipalName: HOST/cupsserver.domain.tld at DOMAIN.TLD In every case I didn't get a ticket with kinit -k -t test.keytab http/cupsserver.domain.tld kinit -k -t test.keytab http/cupsserver.domain.tld at DOMAIN.TLD kinit -k -t test.keytab HTTP/cupsserver.domain.tld kinit -k -t test.keytab HTTP/cupsserver.domain.tld at DOMAIN.TLD but the error message changed to: kinit: Client ?HTTP/ewsfs.wetek.intern at WETEK.INTERN? wurde nicht in der Kerberos-Datenbank gefunden bei Anf?ngliche Anmeldedaten werden geholt. (kinit: Client 'host/devstation.samdom.example.com at SAMDOM.EXAMPLE.COM' not found in Kerberos database while getting initial credentials) before it was: kinit: krb5_get_init_creds: Client (HTTP/cupsserver.domain.tld at DOMAIN.TLD) unknown Best regards, Thorsten Am Freitag, dem 20.06.2025 um 09:21 +0100 schrieb Rowland Penny via samba:> On Fri, 20 Jun 2025 05:52:36 +0200 > Thorsten Otto via samba <samba at lists.samba.org> wrote: > > > Hello and thanks again for your answer. > > > > But shouldn't the "kinit" with the exported keytab work also if I > > don't need it? > > > > And how can I use the HOST principal for cups if the keytab isn't > > working? > > > > Thorsten > > > > > > I normally do not use a computer keytab on Linux, so just naively > believed it would work, it doesn't :-( > > What does work, you can export a keytab with the 'http' SPN prefix > without there actually being any such SPN in AD, provided there is a > SPN that starts with 'host'. > > If you try to use the keytab, you get this: > > kinit: Client 'host/devstation.samdom.example.com at SAMDOM.EXAMPLE.COM' > not found in Kerberos database while getting initial credentials > > When there is quite obviously a servicePrincipalName attribute > containing that in AD. > > I stared at the computers object for quite sometime until it hit me, > while 'devstation' had a few SPNs, it didn't have a userPrincipalName > attribute, so adding: > > userPrincipalName: > host/devstation.samdom.example.com at SAMDOM.EXAMPLE.COM > > Lead to a successful kinit, which lead to this: > > rowland at devstation:~$ sudo klist > Ticket cache: FILE:/tmp/krb5cc_11104 > Default principal: > host/devstation.samdom.example.com at SAMDOM.EXAMPLE.COM > > Valid starting???? Expires??????????? Service principal > 20/06/25 09:07:17? 20/06/25 19:07:17? > krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM > renew until 21/06/25 09:07:17 > > Hope this helps. > > Rowland