Gist: I have set up a samba as AD DC. I'd like to export a keytab for SPNs for a computer account only without having the computer to run samba itself, or issue net ads join
. Running samba-tool domain exportkeytab
gives me no keys for the SPNs, and I believe its because there is not machine password. How can I fix that?
Long version: I have set up a Samba as full-features AD primary domain controller. User authentication works, DNS works, etc., so I'm fairly sure that the server itself is ok. In addition, there are already two machines joined to the domain and their keytab works, so the server is probably not at fault, but PEBKAC.
Now I have a FreeBSD-running Squid cache and I'd like to set up Kerberos authentication for the proxy. I don't want to run Samba on this machine - there is no reason for it. So I thought that creating a computer account, setting SPNs and exporting the keytab might work, but it didn't.
Specifically, I run samba-tool computer add PROXYMACHINE --ip-address=172.19.9.22 --ip-address=dead:beef:cafe::22 --service-principal-name='host/proxymachine.example.com' --service-principal-name='HTTP/proxymachine.example.com'
. Everything works fine; running samba-tool computer show PROXYMACHINE
gives me the full info.
However, running samba-tool domain exportkeytab complete.keytab
does not give me any keys for the SPNs of the machine. The filter conditions also don't work. samba-tool
tells me "Export two principals to krb5.keytab," but the file does not even exist (even though samba-tool
exits with RC 0).
The difference between the joined computers and this one is that there is not password. So I believe that this might be the culprit. But I don't know how to set a machine password, and I can't verify that this actually is the problem - it might be something else.
So, bottomline: What do I need to do to (1) manage a computer as "inventory item" (computer account), (2) associate SPNs with it, and (3) export those to a kerberos keytab? Or is my approach perhaps wrong entirely?