Hi, When I have a service on a client that tries to use kerberos and I get errors such as these in the log.samba file:
Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such entry found in hdb Does this mean that the kerberos authentication system is looking for the principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" in samba4's domain or in the server's /etc/krb5.keytab file? I have tried adding this principal to the /etc/krb5.keytab file using ktutil, but this error still pops up. I noticed that you can export a principal into a keytab file using "samba-tool domain exportkeytab" but how do you add the principal to the domain? Will adding the missing principal using "samba-tool spn" solve problems like these? According to https://help.ubuntu.com/community/SingleSignOn , you add a host to the kerberos realm by doing these two commands on the kerberos server: kadmin: addprinc -randkey host/client.example.com @ EXAMPLE.COM kadmin: ktadd -k ~/client.keytab host/client.example.com @ EXAMPLE.COM I am guessing that "kadmin: ktadd -k ~/client.keytab host/client.example.com@ EXAMPLE.COM" is the equivalent of "samba-tool domain exportkeytab ~/client.keytab --principal=host/client.example.com" but what is the equivalent of "kadmin: addprinc -randkey host/client.example.com @ EXAMPLE.COM" under samba4 ??? br, Quinn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba