"Matthias Müller" <matthiasmueller07(a)web.de> writes:
I added the necessary fields in the ldap configuration before.
Realm: local.domain
Principal: HTTP/server.name(a)local.domain
Keytab: /etc/keytab/servername.keytab
Ok.
local.domain and server.name are place holder for the original
settings.
The following message is shown with kinit and kvno:
kinit: Preauthentication failed while getting initial credentials
No credentials cache found (filename: /tmp/krb5cc_0) while getting client principal name
That's bad. My system has:
[root@saml keycloak]# kinit -kt keycloak.keytab HTTP/saml.example.org
[root@saml keycloak]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: HTTP/saml.example.org(a)EXAMPLE.ORG
Valid starting Expires Service principal
08.07.2018 22:09:40 09.07.2018 22:09:40 krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG
Until that works you don't need to look at anyhing else.
Please try:
KRB5_TRACE=/dev/stderr kinit -kt /etc/keytab/servername.keytab
HTTP/server.name(a)local.domain
When I read the keytab file with klist the output is:
0 01/01/1970 00:00:00 HTTP/server.name(a)local.domain (aes256-cts-hmac-sha1-96)
That date looks fishy.
[root@saml keycloak]# klist -k keycloak.keytab
Keytab name: FILE:keycloak.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 HTTP/saml.example.org(a)EXAMPLE.ORG
1 HTTP/saml.example.org(a)EXAMPLE.ORG
1 HTTP/saml.example.org(a)EXAMPLE.ORG
1 HTTP/saml.example.org(a)EXAMPLE.ORG
Can you please move the discussion back to the keycloak list? Thanks.
Jochen
--
This space is intentionally left blank.