4:34 a.m.
Some of my notes, but these are for samba4 AD:
add spn to account files, since id is running on the id.company.com machine:
samba-tool spn add HTTP/id.samba.company.com id$
samba-tool domain exportkeytab --principal HTTP/id.samba.company.com id.keytab
List keys in id.keytab:
root@dc4:~# klist -k ./id.keytab
Keytab name: FILE:./id.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 HTTP/id.samba.company.com(a)SAMBA.COMPANY.COM
2 HTTP/id.samba.company.com(a)SAMBA.COMPANY.COM
2 HTTP/id.samba.company.com(a)SAMBA.COMPANY.COM
Make sure that a reverse dns exists! (so, in case you use id.company.com, add a reverse
for id.company.com) Then:
2016-11-21 15:05:55,649 INFO [org.keycloak.federation.ldap.LDAPIdentityStoreRegistry]
(default task-3) Creating new LDAP based partition manager for the Federation provider:
active directory, LDAP Configuration:
{serverPrincipal=HTTP/id.copany.com(a)SAMBA.COMPANY.COM, pagination=true,
connectionPooling=true, usersDn=cn=users,dc=samba,dc=company,dc=com,
userAccountControlsAfterPasswordUpdate=true, useKerberosForPasswordAuthentication=false,
bindDn=cn=service_account,cn=users,dc=samba,dc=company,dc=com,
usernameLDAPAttribute=sAMAccountName, vendor=ad, uuidLDAPAttribute=objectGUID,
allowKerberosAuthentication=true, connectionUrl=ldaps://localhost:636,
syncRegistrations=false, authType=simple, debug=true, searchScope=1,
keyTab=/usr/local/keycloak/standalone/configuration/id.keytab, useTruststoreSpi=ldapsOnly,
kerberosRealm=SAMBA.COMPANY.COM, userObjectClasses=person, organizationalPerson, user,
rdnLDAPAttribute=cn, editMode=READ_ONLY, batchSizeForSync=1000}
2016-11-21 15:05:55,746 INFO [stdout] (default task-3) Debug is true storeKey true
useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false
KeyTab is /usr/local/keycloak/standalone/configuration/id.keytab refreshKrb5Config is
false principal is HTTP/id.company.com(a)SAMBA.COMPANY.COM tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
2016-11-21 15:05:55,790 INFO [stdout] (default task-3) principal is
HTTP/id.company.com(a)SAMBA.COMPANY.COM
2016-11-21 15:05:55,790 INFO [stdout] (default task-3) Will use keytab
2016-11-21 15:05:55,792 INFO [stdout] (default task-3) Commit Succeeded
2016-11-21 15:05:55,792 INFO [stdout] (default task-3)
2016-11-21 15:05:55,994 INFO [stdout] (default task-3) [Krb5LoginModule]: Entering
logout
2016-11-21 15:05:55,995 INFO [stdout] (default task-3) [Krb5LoginModule]: logged out
Subject
Goodluck,
MJ