tune_sssd.sh: add HTTP SPN for web services GSSAPI auth

dc-client/tune_sssd.sh

@@ -198,6 +198,12 @@ if net ads testjoin 2>/dev/null; then
         echo "Keytab missing correct FQDN, refreshing..."
         net ads keytab create || echo "Warning: failed to refresh keytab"
     fi
+    # Add HTTP SPN for web services (e.g. GSSAPI auth)
+    FQDN=$(hostname -f)
+    if ! net ads search -P "(samaccountname=$(hostname -s)\$)" servicePrincipalName 2>/dev/null | grep -qi "HTTP/$FQDN"; then
+        echo "Adding HTTP/$FQDN SPN for web services..."
+        net ads setspn add "HTTP/$FQDN" 2>/dev/null && net ads keytab create || echo "Warning: failed to add HTTP SPN"
+    fi
 else
     echo "Machine account is broken or not joined, (re)joining..."
     # Leave domain first if there's a stale join (use admin ticket from kinit)
@@ -209,6 +215,10 @@ else
     # This requires msDS-AllowedDNSSuffixes to include the DNS subdomain on the DC
     # Note: --use-kerberos=required doesn't work here, need explicit -U for credentials
     net ads join dnshostname=$(hostname -f) -U $ADMIN --no-dns-updates || fatal "Failed to join to the domain '$REALM'"
+    # Add HTTP SPN for web services (e.g. GSSAPI auth)
+    FQDN=$(hostname -f)
+    echo "Adding HTTP/$FQDN SPN for web services..."
+    net ads setspn add "HTTP/$FQDN" 2>/dev/null && net ads keytab create || echo "Warning: failed to add HTTP SPN"
 fi
 
 kdestroy