samba - Jun 2025 - Asking help exporing a valid keytab file for cups http

Op 19-06-2025 om 16:34 schreef Thorsten Otto via samba:
> Hello everyone,
>
> I spent days on creating a valid keytab file for a cups server without
> success and I'd kindly ask for help.
>
> The cups server is running on a host named cupsserver which is a domain
> member in a samba 4 ad domain called domain.tld.
> Everything is running on Debian 12 Bookworm. Samba is using heimdal
> kerberos with realm DOMAIN.TLD
>
> On the primary domain controller I do:
>
> root at dc:~# samba-tool spn add HTTP/cupsserver.domain.tld at DOMAIN.TLD
> cupsserver$
> root at dc:~# samba-tool spn list cupsserver$
> cupsserver$
> User CN=CUPSSERVER,OU=Dateiserver,OU=Linux,OU=Rechner,DC=domain,DC=tld
> has the following servicePrincipalName:
> 	 HOST/CUPSSERVER
> 	 HOST/cupsserver.domain.tld
> 	 HTTP/cupsserver.domain.tld at DOMAIN.TLD
> root at dc:~# samba-tool domain exportkeytab test.keytab --
> principal=HTTP/cupsserver.domain.tld
> Export one principal to test.keytab
> root at dc:~# ktutil -k test.keytab list
> test.keytab:
>
> Vno  Type                     Principal
> Aliases
> 228  aes256-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD
> 228  aes128-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD
> 228  arcfour-hmac-md5         HTTP/cupsserver.domain.tld at DOMAIN.TLD
> 227  aes256-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD
> 227  aes128-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD
> 226  aes256-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD
> 226  aes128-cts-hmac-sha1-96  HTTP/cupsserver.domain.tld at DOMAIN.TLD
> root at dc:~# kinit -k -t test.keytab
> HTTP/cupsserver.domain.tld at DOMAIN.TLD
> kinit: krb5_get_init_creds: Client
> (HTTP/cupsserver.domain.tld at DOMAIN.TLD) unknown
> root at dc:~#
>
> That's pretty much what I achieved. I tried the same without adding the
> realm at the end of the principal name, like it is in many examples
> over the web, but that doesnt change anything.
>
> I checked dns, service records, changing the enctypes and much more but
> the last answer is always "client unknown" The system, one pdc
and 10
> additional dcs, one for each site of the company, has been working well
> and stable for years now.
>
> I'd be really glad about any hint you could give me.
Hi Thorsten,


You are pretty far in the right direction.

You correctly put an SPN on the machine account, which is what cups will 
use. However, if you create an SPN it assumes the default port (for http 
that is 443). If your cups service listens to 631, which I assume, you 
have to put that in the SPN, i.e. 
"HTTP/cupsserver.domain.tld:631 at DOMAIN.TLD"


- Kees,

>
> Thanks in advance
> Thorsten
>

On Sun, 22 Jun 2025 13:56:37 +0200
Kees van Vloten via samba <samba at lists.samba.org>
wrote:
> 
> You are pretty far in the right direction.
> 
> You correctly put an SPN on the machine account, which is what cups
> will use. However, if you create an SPN it assumes the default port
> (for http that is 443). If your cups service listens to 631, which I
> assume, you have to put that in the SPN, i.e. 
> "HTTP/cupsserver.domain.tld:631 at DOMAIN.TLD"
You might be right about the port, but I think it might need to
start with 'https' instead of 'http' and if does, then such an
SPN will
need to be added, the 'host' SPN does not cover 'https'.

Rowland