keytab auth against samba 4 DC: Client not found in Kerberos database while getting initial credentials

Finally - I got it!

The

samba-tool spn add ...

does not (re)name the UPN as expected in the directory. I found it by comparing with MS ADS entries. So the work around is to change the value by hand before issuing the exportkeytab command:

  • Open the service user entry with a ldap-tool (I used Apache Directory Studio) and
  • find the just created user Edit "userPrincipalName" to reflect servicePrincipleName + REALM (in my case http/[email protected])
  • export keytab and everything works as expected

on the target machine

kinit -k -t http/myserver.mycompany.com

works without any complains! Hopefully this helps others trying to setup SSO with Samba4 ...