On Thu, 2013-01-24 at 18:33 +0200, Hleb Valoshka wrote: > Please! Don't write into private mail. Thanks. > > > $ Samba-tool user create http-user --random-password > > $ Samba-tool spn add HTTP/www.nisled.org http-user > > Okay, you've got user http-user with principals http-u...@nisled.org > and HTTP/www.nisled....@nisled.org. > > > $ Samba-tool domain exportkeytab --principal=HTTP/www.nisled.org > > http.keytab > > Here you export _only_ HTTP/www.nisled....@nisled.org. > > > $ kinit -k -t http.keytab http-user > > kinit: Key table entry not found while getting initial credentials > > Of cause, because you didn't export it. > > > Can anyone help me? > > Export http-u...@nisled.org too.
Exactly. While the Samba KDC is smart, and knows these are the same user, the keytab and krb5 client tools are dumb (very), they work on exact string matches, so you have export out exactly the name you want to kinit as, or kinit as HTTP/www.nisled....@nisled.org. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
