[Samba] kinit with SPN fail

[banda bassotti]

Hello again, after obtaining the keytab file I tried to use kinit
keytab.file followed by the spn

$ samba-tool spn list z1
z1
User CN=z1,CN=Users,DC=home,DC=lan has the following servicePrincipalName:
         zookeeper/ap42.home.lan

$ samba-tool domain exportkeytab z1.ktab --principal=z1
$ samba-tool domain exportkeytab z1.ktab
--principal=zookeeper/ap42.home.lan

$ kinit -V -k -t z1.ktab zookeeper/ap42.home.lan
Using default cache: /tmp/krb5cc_1003
Using principal: zookeeper/ap42.home.lan at HOME.LAN
Using keytab: z1.ktab
kinit: Client 'zookeeper/ap42.home.lan at HOME.LAN' not found in Kerberos
database while getting initial credentials
zookeeper at AP42:~$

samba log:
[2020/06/10 18:36:14.801334,  2, pid=27610, effective(0, 0), real(0, 0),
class=auth_audit]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[zookeeper/ap42.home.lan at HOME.LAN] at [Wed, 10 Jun 2020
18:36:14.801316 CEST] with [(null)] status [NT_STATUS_NO_SUCH_USER]
workstation [(null)] remote host [ipv4:192.168.1.2:37598] mapped to
[(null)]\[(null)]. local host [NULL]

using the principal works:

$ kinit -V -k -t z1.ktab z1
Using default cache: /tmp/krb5cc_1003
Using principal: z1 at HOME.LAN
Using keytab: z1.ktab
Authenticated to Kerberos v5

$ klist -k -e z1.ktab
Keytab name: FILE:z1.ktab
KVNO Principal
----
--------------------------------------------------------------------------
   2 zookeeper/ap42.home.lan at HOME.LAN (arcfour-hmac)
   2 zookeeper/ap42.home.lan at HOME.LAN (des-cbc-md5)
   2 zookeeper/ap42.home.lan at HOME.LAN (des-cbc-crc)
   2 z1 at HOME.LAN (aes256-cts-hmac-sha1-96)
   2 z1 at HOME.LAN (aes128-cts-hmac-sha1-96)
   2 z1 at HOME.LAN (arcfour-hmac)
   2 z1 at HOME.LAN (des-cbc-md5)
   2 z1 at HOME.LAN (des-cbc-crc)

/etc/krb5.conf:

[libdefaults]
  default_realm = HOME.LAN
  dns_lookup_realm = false
  dns_lookup_kdc = true

thnx.