hello Achim,
yes, if you change the
userPrincipalName LDAP attributethats suffient, thats what i changed through the
windows tool.
greetz,
Louis
Op 29 aug. 2016 om 19:42 heeft Achim Gottinger via samba <samba at
lists.samba.org> het volgende geschreven:
Am 29.08.2016 um 17:17 schrieb L.P.H. van Belle via samba:
No,
That was not sufficient, i had to use the windows tool to change it.
The is the explanation from the developer of squid helper.
/snap
I would say they are bugs. The first “issue” is as you say more about
understanding the difference between UPN and SPN and how the tools use them.
The helper tries to “authenticate” squid to AD as a user with the found SPN
name, so the UPN must be the same as the SPN. There is no easy way to query
what the UPN for the SPN is.
Also msktutil (my preferred tool) creates a machine account not a user account
in AD. The reason I prefer this is that often user accounts have a global
password policy e.g. change every 60 days otherwise it will be locked. machine
accounts do not have that limitation. But as I said it is just my preference.
/snap.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Hello Louis,
Aint't it sufficient to export only the http SPN into an keytab file an
pass that top squid?
How did you change the UPN?
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I always understood SPN's act like aliases for the UPN so that
explanation ist abit odd.
Is it sufficient to change the userPrincipalName LDAP attribute of the
user account? That would work on the linux side.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba