[Samba] kerberos | client not found

lists lists at merit.unu.edu
Mon Nov 21 13:18:29 UTC 2016


Can someone point out what I am doing wrong here?

Background: I'm trying to make keycloak (saml) authenticate using 
kerberos, and I'm getting "client not found in kerberos database". Below 
are the steps I have taken.

I'm using a domain member servers machine account (server$) to add the 
SPN, since keycloak is running on that member server. (for the record: 
the member server works, kerberos works, kinit, etc, etc, no problems there)

The steps I took:

On a dc, add an SPN to the domain member server account:
> root at dc4# samba-tool spn add HTTP/keycloak.company.com/SAMBA.COMPANY.COM server$
("HTTP" in capitals taken from the keycloak docs)

Export to keytab:
> root at dc4# samba-tool domain exportkeytab --principal HTTP/keycloak.company.com keycloak.keytab

Copy the keytab to the domain member server where keycloak runs. 
Webserver is running on the member server, serving the url 

Checking out the generated keytab there:
> root at server# klist -k ./keycloak.keytab
> Keytab name: FILE:./keycloak.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM
>    2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM
>    2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM

Try to use the keytab:
> root at server:/usr/local/keycloak# kinit  HTTP/keycloak.company.com at SAMBA.COMPANY.COM -k -t ./keycloak.keytab
> kinit: Client 'HTTP/keycloak.company.com at SAMBA.COMPANY.COM' not found in Kerberos database while getting initial credentials
> root at server:/usr/local/keycloak#

And again, on that samba member server, "kinit username" DOES work, so 
that makes me believe that there are no basic kerberos issues.

Anyone an idea?


More information about the samba mailing list