samba - Feb 2022 - Compatibility With PaloAlto User Identification

On Wed, 2022-02-16 at 11:25 -0500, ralph strebbing via samba
wrote:
> On Tue, Feb 15, 2022 at 3:18 PM Andrew Bartlett <abartlet at
samba.org>
> wrote:
> > samba-tool domain exportkeyab is your friend, running on the
> > DC.  Just
> > specify the SPN you need to export, otherwise you will export the
> > whole
> > domain.  Check with ktutil.
> I feel a bit silly. So I've gone ahead and run the following commands
> as I've gathered they needed adapted from the windows commands given
> in the link posted before;
> samba-tool spn add HTTP/gw.domain.com at DOMAIN.COM fwuser
> The last piece there is the service user I've created for the
> firewall.
> Then I ran:
> samba-tool domain exportkeytab gw.keytab --principal=fwuser
> 
> When I attempted to import the keytab into the firewall however, I
> was
> presented with the following error:
> "service principal name "fwuser" is not allowed (not start
with
> HTTP)"
I think you have run into the problem that SPN's have to be unique and
if 'gw.domain.com' is joined to the domain it will have the SPN
'HOST/gw.domain.com' which also has the alias
'HTTP/gw.domain.com'.

Try reading this thread:
https://lists.samba.org/archive/samba/2021-November/238694.html

Rowland

On 16-02-2022 18:17, Rowland Penny via samba wrote:
> On Wed, 2022-02-16 at 11:25 -0500, ralph strebbing via samba wrote:
>> On Tue, Feb 15, 2022 at 3:18 PM Andrew Bartlett <abartlet at
samba.org>
>> wrote:
>>> samba-tool domain exportkeyab is your friend, running on the
>>> DC.  Just
>>> specify the SPN you need to export, otherwise you will export the
>>> whole
>>> domain.  Check with ktutil.
>> I feel a bit silly. So I've gone ahead and run the following
commands
>> as I've gathered they needed adapted from the windows commands
given
>> in the link posted before;
>> samba-tool spn add HTTP/gw.domain.com at DOMAIN.COM fwuser
>> The last piece there is the service user I've created for the
>> firewall.
>> Then I ran:
>> samba-tool domain exportkeytab gw.keytab --principal=fwuser
>>
>> When I attempted to import the keytab into the firewall however, I
>> was
>> presented with the following error:
>> "service principal name "fwuser" is not allowed (not
start with
>> HTTP)"
> I think you have run into the problem that SPN's have to be unique and
> if 'gw.domain.com' is joined to the domain it will have the SPN
> 'HOST/gw.domain.com' which also has the alias
'HTTP/gw.domain.com'.
>
> Try reading this thread:
> https://lists.samba.org/archive/samba/2021-November/238694.html
>
> Rowland
>
>
>
Or this one perhaps?

https://lists.samba.org/archive/samba/2021-July/236636.html

- Kees

On Wed, Feb 16, 2022 at 12:18 PM Rowland Penny via samba
<samba at lists.samba.org> wrote:
> I think you have run into the problem that SPN's have to be unique and
> if 'gw.domain.com' is joined to the domain it will have the SPN
> 'HOST/gw.domain.com' which also has the alias
'HTTP/gw.domain.com'.
>
> Try reading this thread:
> https://lists.samba.org/archive/samba/2021-November/238694.html
Going through the posts there, I was able to export a keytab that
specifies the principal HTTP/gw.domain.com at DOMAIN.COM
Now how would I go about exporting the password into the keytab (as it
seems the firewall wants)?
The command on windows that I was able to piece together is:
ktpass /princ HTTP/gw.domain.com at DOMAIN.COM /mapuser DOMAIN\fwuser
/pass plaintextpasswd /out gw.keytab /ptype KRB5_NT_PRINCIPAL /crypto
RC4-HMAC-NT
At this point, the following have args have been successfully figured
out (I think) with the samba-tool domain exportkeytab command:
/princ HTTP/gw.domain.com at DOMAIN.COM
Not sure about the usermapping (/mapuser DOMAIN\fwuser)

So what would be next as far as passing the password into the file,
setting the ptype to KRB5_NT_PRINCIPAL (Assuming that this isn't a
default), and setting the encryption?

Thanks,
Ralph