[Samba] kerberos | client not found

[lists]

Hi,

Can someone point out what I am doing wrong here?

Background: I'm trying to make keycloak (saml) authenticate using 
kerberos, and I'm getting "client not found in kerberos database". Below 
are the steps I have taken.

I'm using a domain member servers machine account (server$) to add the 
SPN, since keycloak is running on that member server. (for the record: 
the member server works, kerberos works, kinit, etc, etc, no problems there)

The steps I took:

On a dc, add an SPN to the domain member server account:
> root at dc4# samba-tool spn add HTTP/keycloak.company.com/SAMBA.COMPANY.COM server$
("HTTP" in capitals taken from the keycloak docs)

Export to keytab:
> root at dc4# samba-tool domain exportkeytab --principal HTTP/keycloak.company.com keycloak.keytab

Copy the keytab to the domain member server where keycloak runs. 
Webserver is running on the member server, serving the url 
https://keycloak.company.com.

Checking out the generated keytab there:
> root at server# klist -k ./keycloak.keytab
> Keytab name: FILE:./keycloak.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM
>    2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM
>    2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM

Try to use the keytab:
> root at server:/usr/local/keycloak# kinit  HTTP/keycloak.company.com at SAMBA.COMPANY.COM -k -t ./keycloak.keytab
> kinit: Client 'HTTP/keycloak.company.com at SAMBA.COMPANY.COM' not found in Kerberos database while getting initial credentials
> root at server:/usr/local/keycloak#

And again, on that samba member server, "kinit username" DOES work, so 
that makes me believe that there are no basic kerberos issues.

Anyone an idea?

MJ