[keycloak-user] Kerberos Authentication
Jochen Hein
jochen at jochen.org
Mon Jul 9 16:19:50 EDT 2018
"Matthias Müller" <matthiasmueller07 at web.de> writes:
> I added the necessary fields in the ldap configuration before.
>
> Realm: local.domain
> Principal: HTTP/server.name at local.domain
> Keytab: /etc/keytab/servername.keytab
Ok.
> local.domain and server.name are place holder for the original settings.
> The following message is shown with kinit and kvno:
> kinit: Preauthentication failed while getting initial credentials
> No credentials cache found (filename: /tmp/krb5cc_0) while getting client principal name
That's bad. My system has:
[root at saml keycloak]# kinit -kt keycloak.keytab HTTP/saml.example.org
[root at saml keycloak]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: HTTP/saml.example.org at EXAMPLE.ORG
Valid starting Expires Service principal
08.07.2018 22:09:40 09.07.2018 22:09:40 krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
Until that works you don't need to look at anyhing else.
Please try:
KRB5_TRACE=/dev/stderr kinit -kt /etc/keytab/servername.keytab HTTP/server.name at local.domain
> When I read the keytab file with klist the output is:
> 0 01/01/1970 00:00:00 HTTP/server.name at local.domain (aes256-cts-hmac-sha1-96)
That date looks fishy.
[root at saml keycloak]# klist -k keycloak.keytab
Keytab name: FILE:keycloak.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 HTTP/saml.example.org at EXAMPLE.ORG
1 HTTP/saml.example.org at EXAMPLE.ORG
1 HTTP/saml.example.org at EXAMPLE.ORG
1 HTTP/saml.example.org at EXAMPLE.ORG
Can you please move the discussion back to the keycloak list? Thanks.
Jochen
--
This space is intentionally left blank.
More information about the keycloak-user
mailing list