[Samba] kerberos | client not found
lists
lists at merit.unu.edu
Mon Nov 21 13:18:29 UTC 2016
Hi,
Can someone point out what I am doing wrong here?
Background: I'm trying to make keycloak (saml) authenticate using
kerberos, and I'm getting "client not found in kerberos database". Below
are the steps I have taken.
I'm using a domain member servers machine account (server$) to add the
SPN, since keycloak is running on that member server. (for the record:
the member server works, kerberos works, kinit, etc, etc, no problems there)
The steps I took:
On a dc, add an SPN to the domain member server account:
> root at dc4# samba-tool spn add HTTP/keycloak.company.com/SAMBA.COMPANY.COM server$
("HTTP" in capitals taken from the keycloak docs)
Export to keytab:
> root at dc4# samba-tool domain exportkeytab --principal HTTP/keycloak.company.com keycloak.keytab
Copy the keytab to the domain member server where keycloak runs.
Webserver is running on the member server, serving the url
https://keycloak.company.com.
Checking out the generated keytab there:
> root at server# klist -k ./keycloak.keytab
> Keytab name: FILE:./keycloak.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM
> 2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM
> 2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM
Try to use the keytab:
> root at server:/usr/local/keycloak# kinit HTTP/keycloak.company.com at SAMBA.COMPANY.COM -k -t ./keycloak.keytab
> kinit: Client 'HTTP/keycloak.company.com at SAMBA.COMPANY.COM' not found in Kerberos database while getting initial credentials
> root at server:/usr/local/keycloak#
And again, on that samba member server, "kinit username" DOES work, so
that makes me believe that there are no basic kerberos issues.
Anyone an idea?
MJ
More information about the samba
mailing list