Hi, Can someone point out what I am doing wrong here? Background: I'm trying to make keycloak (saml) authenticate using kerberos, and I'm getting "client not found in kerberos database". Below are the steps I have taken. I'm using a domain member servers machine account (server$) to add the SPN, since keycloak is running on that member server. (for the record: the member server works, kerberos works, kinit, etc, etc, no problems there) The steps I took: On a dc, add an SPN to the domain member server account:> root at dc4# samba-tool spn add HTTP/keycloak.company.com/SAMBA.COMPANY.COM server$("HTTP" in capitals taken from the keycloak docs) Export to keytab:> root at dc4# samba-tool domain exportkeytab --principal HTTP/keycloak.company.com keycloak.keytabCopy the keytab to the domain member server where keycloak runs. Webserver is running on the member server, serving the url https://keycloak.company.com. Checking out the generated keytab there:> root at server# klist -k ./keycloak.keytab > Keytab name: FILE:./keycloak.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > 2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM > 2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM > 2 HTTP/keycloak.company.com at SAMBA.COMPANY.COMTry to use the keytab:> root at server:/usr/local/keycloak# kinit HTTP/keycloak.company.com at SAMBA.COMPANY.COM -k -t ./keycloak.keytab > kinit: Client 'HTTP/keycloak.company.com at SAMBA.COMPANY.COM' not found in Kerberos database while getting initial credentials > root at server:/usr/local/keycloak#And again, on that samba member server, "kinit username" DOES work, so that makes me believe that there are no basic kerberos issues. Anyone an idea? MJ
Hai Mourik-Jan, I think you missing your ptr record in the reverse zone. Or you missing the Krb5KeyTab variable in the apache setup. Test : dig keycloak.company.com ( results in A ip. ) dig -x ip_adres https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Directory Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens lists via samba > Verzonden: maandag 21 november 2016 14:18 > Aan: samba at lists.samba.org > Onderwerp: [Samba] kerberos | client not found > > Hi, > > Can someone point out what I am doing wrong here? > > Background: I'm trying to make keycloak (saml) authenticate using > kerberos, and I'm getting "client not found in kerberos database". Below > are the steps I have taken. > > I'm using a domain member servers machine account (server$) to add the > SPN, since keycloak is running on that member server. (for the record: > the member server works, kerberos works, kinit, etc, etc, no problems > there) > > The steps I took: > > On a dc, add an SPN to the domain member server account: > > root at dc4# samba-tool spn add HTTP/keycloak.company.com/SAMBA.COMPANY.COM > server$ > ("HTTP" in capitals taken from the keycloak docs) > > Export to keytab: > > root at dc4# samba-tool domain exportkeytab --principal > HTTP/keycloak.company.com keycloak.keytab > > Copy the keytab to the domain member server where keycloak runs. > Webserver is running on the member server, serving the url > https://keycloak.company.com. > > Checking out the generated keytab there: > > root at server# klist -k ./keycloak.keytab > > Keytab name: FILE:./keycloak.keytab > > KVNO Principal > > ---- ------------------------------------------------------------------- > ------- > > 2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM > > 2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM > > 2 HTTP/keycloak.company.com at SAMBA.COMPANY.COM > > Try to use the keytab: > > root at server:/usr/local/keycloak# kinit > HTTP/keycloak.company.com at SAMBA.COMPANY.COM -k -t ./keycloak.keytab > > kinit: Client 'HTTP/keycloak.company.com at SAMBA.COMPANY.COM' not found in > Kerberos database while getting initial credentials > > root at server:/usr/local/keycloak# > > And again, on that samba member server, "kinit username" DOES work, so > that makes me believe that there are no basic kerberos issues. > > Anyone an idea? > > MJ > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hai Louis, On 21-11-2016 14:33, L.P.H. van Belle via samba wrote:> I think you missing your ptr record in the reverse zone. > Or you missing the Krb5KeyTab variable in the apache setup. > > Test : > dig keycloak.company.com ( results in A ip. ) > dig -x ip_adresCorrect, I had no reverse. But reading that page, I also discovered something else: <QUOTE> We next need to setup an SPN (Service Principal Names) for the server name that any website resolves to (so the actual server name that a CNAME points to, fully qualified). If not using virtual hosting the web address and the machine name will be the same. </QUOTE> As my keycloak is a VHOST on the domain member server, I added a second SPN to AD and also the keytab: first HTTP/keycloak.company.com/SAMBA.COMPANY.COM second HTTP/domainmember.company.com/SAMBA.COMPANY.COM And then things started to work. I'll also try to add the reverse to dns, and then remove the second domainmember SPN. See if things still work then. :-) Thanks for the quick reply! MJ