Since a simple “kadmin listprincs” did not work I’ve tried the second way:
#univention-s4search ‘(|(userPrincipalName=)(servicePrincipalName=))’ userPrincipalName servicePrincipalName | grep -i nc158-muc-v4
params.c:pm_process() - Processing configuration file “/etc/samba/base.conf”
params.c:pm_process() - Processing configuration file “/etc/samba/installs.conf”
params.c:pm_process() - Processing configuration file “/etc/samba/printers.conf”
params.c:pm_process() - Processing configuration file “/etc/samba/local.conf”
GENSEC backend ‘gssapi_spnego’ registered
GENSEC backend ‘gssapi_krb5’ registered
GENSEC backend ‘gssapi_krb5_sasl’ registered
GENSEC backend ‘schannel’ registered
GENSEC backend ‘spnego’ registered
GENSEC backend ‘ntlmssp’ registered
GENSEC backend ‘krb5’ registered
GENSEC backend ‘fake_gssapi_krb5’ registered
dn: CN=nc158-muc-v4,CN=clients,CN=computers,OU=muc,DC=test,DC=test
userPrincipalName: host/nc158-muc-v4.test.test@TEST.TEST
Next I’ve tried to export the keytab using ktutil:
#ktutil -k ~/nc158-muc-v4_host.keytab get host/nc158-muc-v4.test.test@TEST.TEST
Again I am asked to enter password for principal root/admin@TEST.TEST! This user doesn’t exist. I thought about using “Administrator”: “kinit Administrator”. The requested Password I knew. Tickets where created an available. Since exporting a keytab needs admin rights I suspected to be asked again for password for “administrator/admin@TEST.TEST” trying to export the keytab. Yes it was. The known passwort for “Administrator” didn’t match!
How do I export a keytab with UCS without any kerberos admin user (no user having “/admin” option set?