[Samba] kerberos | client not found

lists lists at merit.unu.edu
Mon Nov 21 13:59:15 UTC 2016

Hai Louis,

On 21-11-2016 14:33, L.P.H. van Belle via samba wrote:
> I think you missing your ptr record in the reverse zone.
> Or you missing the Krb5KeyTab variable in the apache setup.
> Test :
> dig keycloak.company.com     ( results in A ip. )
> dig -x ip_adres

Correct, I had no reverse. But reading that page, I also discovered 
something else:

We next need to setup an SPN (Service Principal Names) for the server 
name that any website resolves to (so the actual server name that a 
CNAME points to, fully qualified). If not using virtual hosting the web 
address and the machine name will be the same.

As my keycloak is a VHOST on the domain member server, I added a second 
SPN to AD and also the keytab:
first 	HTTP/keycloak.company.com/SAMBA.COMPANY.COM
second  HTTP/domainmember.company.com/SAMBA.COMPANY.COM

And then things started to work.

I'll also try to add the reverse to dns, and then remove the second 
domainmember SPN. See if things still work then. :-)

Thanks for the quick reply!


More information about the samba mailing list