Thanks for the information Alexander, I managed to get it working for reference for others in the future I did the following:
1) Enrolled the keycloak server with FreeIPA using ipa-client-install then rebooted. 2) On the FreeIPA gui under the identity tab and services sub tab i created 3 new service's with service being HTTP and hostname being the the server name of the respective nginx vhost. 3) Edited each service to add 'Allowed to retrieve keytab' restriction to only allow the keycloak server to get the keytabs. 4) On the keycloak server I ran kinit admin to allow me to pull keytabs. 5) I created a folder in my keycloak root called keytabs with mkdir /opt/keycloak/keytabs 6) I ran ipa-getkeytab -s [MY FREEIPA SERVER] -p HTTP/[MY Nginx VHOST Server Name] -k /opt/keycloak/keytabs/[MY KEYCLOAK REALM NAME].keytab for each vhost/keycloak realm. 7) I ran chown -R keycloak:keycloak /opt/keycloak/keytabs 8) I ran chmod 0640 /opt/keycloak/keytabs/* 9) In the keycloak admin panel, switch to the realm I wanted to work on and go to authentication then browser 10) Switched Kerberos from disabled (new default) to alternative (This one confused me a bit as it used to be alternative by default) 11) Went to User Federation then clicked on my FreeIPA Ldap provider 12) Scrolled down to Kerberos Integration and checked allow kerberos authentication 13) In kerberos realm I set my FreeIPA realm in capital letters 14) In server principle I put HTTP/[NGINX VHOST SERVER NAME AND KEYCLOAK REALM PAIRING]@[FREEIPA Realm Name] 15) in keytab I set /opt/keycloak/keytabs/[Keycloak REALM NAME].keytab 16) Save and closed the browser It all started working after that, note using multiple domains ensure your browser is configured to try and authenticate with the domains, in firefox its go to about:config in the browser and search or filter for network.negotiate-auth.trusted-uris adding a comma seperated list of domains to push kerberos tokens to for example All my internal stuff is under domain1.tld in this example but public stuff only auth is needed on auth.domain2.tld so my setting in firefox is .domain1.tld,auth.domain2.tld. Hope this helps anyone in the future. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
