Bug 56473 – Keycloak kerberos authentication does not work on clients joined to school servers

Bug 56473 - Keycloak kerberos authentication does not work on clients joined to school servers


Summary:	Keycloak kerberos authentication does not work on clients joined to school se...

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Keycloak
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-08-22 21:45 CEST by Julia Bremer
Modified:	2023-08-22 21:46 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.034
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Julia Bremer

2023-08-22 21:45:35 CEST

Because there are different Samba databases on each school server, the keycloak app does not add the SPN for ucs-sso-ng to every samba on each school. 

We need to add the spn for the kerberos service in the following way in the joinscript of the school replica joinscript 62ucs-school-replica.inst just like we did for simpleSAMLphp

samba-tool spn add “HTTP/$keycloak_server_sso_fqdn” “krbkeycloak”