[Samba] Problem with keytab: "Client not found in Kerberos database"

[Brian Candler]

I finally found it, thanks to a clue from 
https://wiki.archlinux.org/index.php/Active_Directory_Integration

This works:

kinit -k -t /etc/krb5.keytab 'WRN-RADTEST$'

These don't work:

kinit -k -t /etc/krb5.keytab
kinit -k -t /etc/krb5.keytab host/wrn-radtest.ad.example.net
kinit -k -t /etc/krb5.keytab host/wrn-radtest

That is: the keytab contains three different principals:

root at wrn-radtest:~# net ads keytab list
Vno  Type                                        Principal
   2  des-cbc-crc host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  des-cbc-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  aes128-cts-hmac-sha1-96 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  aes256-cts-hmac-sha1-96 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  arcfour-hmac-md5 host/wrn-radtest.ad.example.net at AD.EXAMPLE.NET
   2  des-cbc-crc host/wrn-radtest at AD.EXAMPLE.NET
   2  des-cbc-md5 host/wrn-radtest at AD.EXAMPLE.NET
   2  aes128-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET
   2  aes256-cts-hmac-sha1-96 host/wrn-radtest at AD.EXAMPLE.NET
   2  arcfour-hmac-md5 host/wrn-radtest at AD.EXAMPLE.NET
   2  des-cbc-crc WRN-RADTEST$@AD.EXAMPLE.NET
   2  des-cbc-md5 WRN-RADTEST$@AD.EXAMPLE.NET
   2  aes128-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
   2  aes256-cts-hmac-sha1-96 WRN-RADTEST$@AD.EXAMPLE.NET
   2  arcfour-hmac-md5 WRN-RADTEST$@AD.EXAMPLE.NET

I can get a TGT for any of them, and by default kinit chooses the 
first.  But the LDAP server won't talk to me unless I choose the 
'WRN-RADTEST$' principal.

Now I just need to work out how to get freeradius to choose the right 
principal - but at worst I should be able to make a new keytab which 
doesn't have the other two.

Regards,

Brian.