ralph strebbing
2022-Feb-16 16:25 UTC
[Samba] Compatibility With PaloAlto User Identification
On Tue, Feb 15, 2022 at 3:18 PM Andrew Bartlett <abartlet at samba.org> wrote:> samba-tool domain exportkeyab is your friend, running on the DC. Just > specify the SPN you need to export, otherwise you will export the whole > domain. Check with ktutil.I feel a bit silly. So I've gone ahead and run the following commands as I've gathered they needed adapted from the windows commands given in the link posted before; samba-tool spn add HTTP/gw.domain.com at DOMAIN.COM fwuser The last piece there is the service user I've created for the firewall. Then I ran: samba-tool domain exportkeytab gw.keytab --principal=fwuser When I attempted to import the keytab into the firewall however, I was presented with the following error: "service principal name "fwuser" is not allowed (not start with HTTP)" This is where I was getting hung up, and I presume something declared in the PaloAlto docs indicates how the file/spn is formatted. But I'm not sure how that needs to translate to the samba commands (if possible). Thanks, Ralph
Rowland Penny
2022-Feb-16 17:17 UTC
[Samba] Compatibility With PaloAlto User Identification
On Wed, 2022-02-16 at 11:25 -0500, ralph strebbing via samba wrote:> On Tue, Feb 15, 2022 at 3:18 PM Andrew Bartlett <abartlet at samba.org> > wrote: > > samba-tool domain exportkeyab is your friend, running on the > > DC. Just > > specify the SPN you need to export, otherwise you will export the > > whole > > domain. Check with ktutil. > I feel a bit silly. So I've gone ahead and run the following commands > as I've gathered they needed adapted from the windows commands given > in the link posted before; > samba-tool spn add HTTP/gw.domain.com at DOMAIN.COM fwuser > The last piece there is the service user I've created for the > firewall. > Then I ran: > samba-tool domain exportkeytab gw.keytab --principal=fwuser > > When I attempted to import the keytab into the firewall however, I > was > presented with the following error: > "service principal name "fwuser" is not allowed (not start with > HTTP)"I think you have run into the problem that SPN's have to be unique and if 'gw.domain.com' is joined to the domain it will have the SPN 'HOST/gw.domain.com' which also has the alias 'HTTP/gw.domain.com'. Try reading this thread: https://lists.samba.org/archive/samba/2021-November/238694.html Rowland