keytab auth against samba 4 DC: Client not found in Kerberos database while getting initial credentials
Finally - I got it!
The
samba-tool spn add ...
does not (re)name the UPN as expected in the directory. I found it by comparing with MS ADS entries. So the work around is to change the value by hand before issuing the exportkeytab command:
- Open the service user entry with a ldap-tool (I used Apache Directory Studio) and
- find the just created user Edit "userPrincipalName" to reflect servicePrincipleName + REALM (in my case http/[email protected])
- export keytab and everything works as expected
on the target machine
kinit -k -t http/myserver.mycompany.com
works without any complains! Hopefully this helps others trying to setup SSO with Samba4 ...