ralph strebbing
2022-Feb-15 20:12 UTC
[Samba] Compatibility With PaloAlto User Identification
On Tue, Feb 15, 2022 at 1:37 AM Andrew Bartlett <abartlet at samba.org> wrote:> If you get that working, I would love to see a wiki page describing the > arrangement so we can help others with similar devices.A way that I'm going to try getting this working is to use the Kerberos approach by getting Kerberos v5 SSO set up. The thing I'm hung up on right now is getting the keytab generated properly. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-kerberos-single-sign-on.html The above link describes the commands to run on a windows DC, how should those translate for Samba? Ralph
Andrew Bartlett
2022-Feb-15 20:18 UTC
[Samba] Compatibility With PaloAlto User Identification
On Tue, 2022-02-15 at 15:12 -0500, ralph strebbing wrote:> On Tue, Feb 15, 2022 at 1:37 AM Andrew Bartlett <abartlet at samba.org> wrote: > > If you get that working, I would love to see a wiki page describing the > > arrangement so we can help others with similar devices. > A way that I'm going to try getting this working is to use the > Kerberos approach by getting Kerberos v5 SSO set up. The thing I'm > hung up on right now is getting the keytab generated properly. > https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-kerberos-single-sign-on.html > The above link describes the commands to run on a windows DC, how > should those translate for Samba?samba-tool domain exportkeyab is your friend, running on the DC. Just specify the SPN you need to export, otherwise you will export the whole domain. Check with ktutil. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba