Andrew Bartlett
2022-Feb-15 20:18 UTC
[Samba] Compatibility With PaloAlto User Identification
On Tue, 2022-02-15 at 15:12 -0500, ralph strebbing wrote:> On Tue, Feb 15, 2022 at 1:37 AM Andrew Bartlett <abartlet at samba.org> wrote: > > If you get that working, I would love to see a wiki page describing the > > arrangement so we can help others with similar devices. > A way that I'm going to try getting this working is to use the > Kerberos approach by getting Kerberos v5 SSO set up. The thing I'm > hung up on right now is getting the keytab generated properly. > https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-kerberos-single-sign-on.html > The above link describes the commands to run on a windows DC, how > should those translate for Samba?samba-tool domain exportkeyab is your friend, running on the DC. Just specify the SPN you need to export, otherwise you will export the whole domain. Check with ktutil. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
ralph strebbing
2022-Feb-16 16:25 UTC
[Samba] Compatibility With PaloAlto User Identification
On Tue, Feb 15, 2022 at 3:18 PM Andrew Bartlett <abartlet at samba.org> wrote:> samba-tool domain exportkeyab is your friend, running on the DC. Just > specify the SPN you need to export, otherwise you will export the whole > domain. Check with ktutil.I feel a bit silly. So I've gone ahead and run the following commands as I've gathered they needed adapted from the windows commands given in the link posted before; samba-tool spn add HTTP/gw.domain.com at DOMAIN.COM fwuser The last piece there is the service user I've created for the firewall. Then I ran: samba-tool domain exportkeytab gw.keytab --principal=fwuser When I attempted to import the keytab into the firewall however, I was presented with the following error: "service principal name "fwuser" is not allowed (not start with HTTP)" This is where I was getting hung up, and I presume something declared in the PaloAlto docs indicates how the file/spn is formatted. But I'm not sure how that needs to translate to the samba commands (if possible). Thanks, Ralph