[Samba] kerberos | client not found
L.P.H. van Belle
belle at bazuin.nl
Mon Nov 21 13:33:14 UTC 2016
Hai Mourik-Jan,
I think you missing your ptr record in the reverse zone.
Or you missing the Krb5KeyTab variable in the apache setup.
Test :
dig keycloak.company.com ( results in A ip. )
dig -x ip_adres
https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Directory
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens lists via samba
> Verzonden: maandag 21 november 2016 14:18
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] kerberos | client not found
>
> Hi,
>
> Can someone point out what I am doing wrong here?
>
> Background: I'm trying to make keycloak (saml) authenticate using
> kerberos, and I'm getting "client not found in kerberos database". Below
> are the steps I have taken.
>
> I'm using a domain member servers machine account (server$) to add the
> SPN, since keycloak is running on that member server. (for the record:
> the member server works, kerberos works, kinit, etc, etc, no problems
> there)
>
> The steps I took:
>
> On a dc, add an SPN to the domain member server account:
> > root at dc4# samba-tool spn add HTTP/keycloak.company.com/SAMBA.COMPANY.COM
> server$
> ("HTTP" in capitals taken from the keycloak docs)
>
> Export to keytab:
> > root at dc4# samba-tool domain exportkeytab --principal
> HTTP/keycloak.company.com keycloak.keytab
>
> Copy the keytab to the domain member server where keycloak runs.
> Webserver is running on the member server, serving the url
> https://keycloak.company.com.
>
> Checking out the generated keytab there:
> > root at server# klist -k ./keycloak.keytab
> > Keytab name: FILE:./keycloak.keytab
> > KVNO Principal
> > ---- -------------------------------------------------------------------
> -------
> > 2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM
> > 2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM
> > 2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM
>
> Try to use the keytab:
> > root at server:/usr/local/keycloak# kinit
> HTTP/keycloak.company.com at SAMBA.COMPANY.COM -k -t ./keycloak.keytab
> > kinit: Client 'HTTP/keycloak.company.com at SAMBA.COMPANY.COM' not found in
> Kerberos database while getting initial credentials
> > root at server:/usr/local/keycloak#
>
> And again, on that samba member server, "kinit username" DOES work, so
> that makes me believe that there are no basic kerberos issues.
>
> Anyone an idea?
>
> MJ
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list