[Samba] kerberos | client not found
lists
lists at merit.unu.edu
Mon Nov 21 13:59:15 UTC 2016
Hai Louis,
On 21-11-2016 14:33, L.P.H. van Belle via samba wrote:
> I think you missing your ptr record in the reverse zone.
> Or you missing the Krb5KeyTab variable in the apache setup.
>
> Test :
> dig keycloak.company.com ( results in A ip. )
> dig -x ip_adres
Correct, I had no reverse. But reading that page, I also discovered
something else:
<QUOTE>
We next need to setup an SPN (Service Principal Names) for the server
name that any website resolves to (so the actual server name that a
CNAME points to, fully qualified). If not using virtual hosting the web
address and the machine name will be the same.
</QUOTE>
As my keycloak is a VHOST on the domain member server, I added a second
SPN to AD and also the keytab:
first HTTP/keycloak.company.com/SAMBA.COMPANY.COM
second HTTP/domainmember.company.com/SAMBA.COMPANY.COM
And then things started to work.
I'll also try to add the reverse to dns, and then remove the second
domainmember SPN. See if things still work then. :-)
Thanks for the quick reply!
MJ
More information about the samba
mailing list