ubuntu – 针对samba 4的keytab身份验证：获取初始凭据时在Kerberos数据库中找不到客户端

我在 Samba AD DC HOWTO之后在ubuntu 14.04上设置了一个samba 4活动目录.原则上一切都运行良好,但我仍然坚持使用SPN为Web应用程序运行kerberos身份验证.
当我试图跑

kinit -k -t keytabfile http/myserver.mycompany.com

我总是得到一个

kinit: Client not found in Kerberos database while getting initial credentials

到目前为止我已经检查过的内容：

> DNS正在向前和向后返回FQN
> kinit使用用户名
> nsserver和webserver上的nslookup返回了myserver.mycompany.com
> myserver allready已加入域名并列入
CN =电脑,DC = myCompany中,DC = COM
>没有公开的SPN

我创建了服务帐户/ SPNs / keytabs,如下所示：

samba-tool user create $ADS_USER $ADS_PW --userou=$USER_OU
samba-tool user setexpiry --noexpiry $ADS_USER

samba-tool spn add ${SERVICE_TYPE}/${SERVICE_HOST}.${MY_DOMAIN} $ADS_USER
samba-tool spn add ${SERVICE_TYPE}/${SERVICE_HOST} $ADS_USER

samba-tool spn list $ADS_USER
rm -f $MY_KEYTAB
samba-tool domain exportkeytab $MY_KEYTAB --principal=${SERVICE_TYPE}/${SERVICE_HOST}.${MY_DOMAIN}
samba-tool domain exportkeytab $MY_KEYTAB --principal=${SERVICE_TYPE}/${SERVICE_HOST}

跑步的时候
klist -k -e $MY_KEYTAB
一切都很好：

root@myhost:~# klist -ke ./test.keytab
Keytab name: FILE:./test.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 http/myserver.mycompany.com@MYCOMPANY.COM (des-cbc-crc)
   1 http/myserver.mycompany.com@MYCOMPANY.COM (des-cbc-md5)
   1 http/myserver.mycompany.com@MYCOMPANY.COM (arcfour-hmac)
   1 http/myserver@MYCOMPANY.COM (des-cbc-crc)
   1 http/myserver@MYCOMPANY.COM (des-cbc-md5)
   1 http/myserver@MYCOMPANY.COM (arcfour-hmac)

我迷路了,在谷歌研究了几个小时,不知道如何解决/修复“Kerberos数据库中找不到客户端”错误.任何提示都是受欢迎的！

谢谢

我在客户端上的“/etc/krb5.conf”

[libdefaults]
    debug = true
        default_realm = MYCOMPANY.COM
        dns_lookup_realm = false
        dns_lookup_kdc = false
        default_tkt_enctypes = rc4-hmac
        default_tgs_enctypes = rc4-hmac
[realms]
        MYCOMPANY.COM = {
                kdc = dc01.mycompany.com
                admin_server = dc01.mycompany.com
                kpasswd_server = dc01.mycompany.com

                #ktpasswd_server = dc01.mycompany.com
                #admin_server = dc01.mycompany.com
        }
[domain_realm]
        .mycompany.com = MYCOMPANY.COM
        mycompany.com = MYCOMPANY.COM

在dc服务器/etc/samba/smb.conf上

[global]
        debug level = 1
        syslog = 1
        max log size = 0

        workgroup = MYCOMPANY
        realm = MYCOMPANY.COM
        netbios name = DC01
        server role = active directory domain controller
        server string = MYCOMPANY domain controller
        server role check:inhibit = yes
        dns forwarder = 192.168.22.1
        idmap_ldb:use rfc2307 = yes

samba-tool spn add ...

kinit -k -t http/myserver.mycompany.com