[Samba] kerberos | client not found

L.P.H. van Belle belle at bazuin.nl
Mon Nov 21 13:33:14 UTC 2016 

Hai Mourik-Jan, 

I think you missing your ptr record in the reverse zone. 
Or you missing the Krb5KeyTab variable in the apache setup. 

Test : 
dig keycloak.company.com     ( results in A ip. ) 
dig -x ip_adres 

https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Directory 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens lists via samba
> Verzonden: maandag 21 november 2016 14:18
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] kerberos | client not found
> 
> Hi,
> 
> Can someone point out what I am doing wrong here?
> 
> Background: I'm trying to make keycloak (saml) authenticate using
> kerberos, and I'm getting "client not found in kerberos database". Below
> are the steps I have taken.
> 
> I'm using a domain member servers machine account (server$) to add the
> SPN, since keycloak is running on that member server. (for the record:
> the member server works, kerberos works, kinit, etc, etc, no problems
> there)
> 
> The steps I took:
> 
> On a dc, add an SPN to the domain member server account:
> > root at dc4# samba-tool spn add HTTP/keycloak.company.com/SAMBA.COMPANY.COM
> server$
> ("HTTP" in capitals taken from the keycloak docs)
> 
> Export to keytab:
> > root at dc4# samba-tool domain exportkeytab --principal
> HTTP/keycloak.company.com keycloak.keytab
> 
> Copy the keytab to the domain member server where keycloak runs.
> Webserver is running on the member server, serving the url
> https://keycloak.company.com.
> 
> Checking out the generated keytab there:
> > root at server# klist -k ./keycloak.keytab
> > Keytab name: FILE:./keycloak.keytab
> > KVNO Principal
> > ---- -------------------------------------------------------------------
> -------
> >    2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM
> >    2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM
> >    2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM
> 
> Try to use the keytab:
> > root at server:/usr/local/keycloak# kinit
> HTTP/keycloak.company.com at SAMBA.COMPANY.COM -k -t ./keycloak.keytab
> > kinit: Client 'HTTP/keycloak.company.com at SAMBA.COMPANY.COM' not found in
> Kerberos database while getting initial credentials
> > root at server:/usr/local/keycloak#
> 
> And again, on that samba member server, "kinit username" DOES work, so
> that makes me believe that there are no basic kerberos issues.
> 
> Anyone an idea?
> 
> MJ
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list