Hai After my squid group adventure, i have a remaining question here. The problem was as followed. ( and this probely dont applie to squid kerberos helpers only. ) samba-tool setup for squid i used, was as followed. samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password samba-tool user setexpiry squid1-service –noexpiry samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service Now this results in : My UPN was set to the username at internal.domain.tld ( as it should ). My SPN was set to HTTP/proxyserver.internal.domain.tld at REALM ( as is should ) samba-tool spn list squid1-service squid1-service User CN=squid1-service,OU=Service-Accounts,OU=XXXX,DC=XXXXX,DC=XXXX,DC=XX has the following servicePrincipalName: HTTP/proxy.internal.domain.tld HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD Sofare all ok, but It seems if you use a user as computer account, you must change the UPN. And in this case i changed the UPN from username at internal.domain.tld to : HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD Which was key to get the squid ext_kerberos_ldap_group_acl correctly working. I hope this helps someone for something ;-) So my suggestions, add an option thats shows and can change the UserPrincipalName from within samba-tool, would be great. Or did i miss this options somewhere? Greetz, Louis
Am 29.08.2016 um 16:18 schrieb L.P.H. van Belle via samba:> Hai > > > > After my squid group adventure, i have a remaining question here. > > > > The problem was as followed. ( and this probely dont applie to squid kerberos helpers only. ) > > > > samba-tool setup for squid i used, was as followed. > > > > samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password > > samba-tool user setexpiry squid1-service –noexpiry > > samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service > > > > Now this results in : > > My UPN was set to the username at internal.domain.tld ( as it should ). > > My SPN was set to HTTP/proxyserver.internal.domain.tld at REALM ( as is should ) > > > > samba-tool spn list squid1-service > > squid1-service > > User CN=squid1-service,OU=Service-Accounts,OU=XXXX,DC=XXXXX,DC=XXXX,DC=XX has the following servicePrincipalName: > > HTTP/proxy.internal.domain.tld > > HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD > > > > > > Sofare all ok, but It seems if you use a user as computer account, you must change the UPN. > > And in this case i changed the UPN from username at internal.domain.tld to : HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD > > Which was key to get the squid ext_kerberos_ldap_group_acl correctly working. > > > > I hope this helps someone for something ;-) > > > > So my suggestions, add an option thats shows and can change the UserPrincipalName from within samba-tool, would be great. > > Or did i miss this options somewhere? > > > > > > Greetz, > > > > LouisHello Louis, Aint't it sufficient to export only the http SPN into an keytab file an pass that top squid? How did you change the UPN? achim~
No, That was not sufficient, i had to use the windows tool to change it. The is the explanation from the developer of squid helper. /snap I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is. Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference. /snap. Greetz, Louis> -----Oorspronkelijk bericht----- > Hello Louis, > > Aint't it sufficient to export only the http SPN into an keytab file an > pass that top squid? > How did you change the UPN? > > achim~ > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Am 29.08.2016 um 17:17 schrieb L.P.H. van Belle via samba:> No, > > That was not sufficient, i had to use the windows tool to change it. > > The is the explanation from the developer of squid helper. > /snap > I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is. > > Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference. > /snap. > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Hello Louis, >> >> Aint't it sufficient to export only the http SPN into an keytab file an >> pass that top squid? >> How did you change the UPN? >> >> achim~ >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >I always understood SPN's act like aliases for the UPN so that explanation ist abit odd. Is it sufficient to change the userPrincipalName LDAP attribute of the user account? That would work on the linux side.
Hi Louis, 2016-08-29 16:18 GMT+02:00 L.P.H. van Belle via samba <samba at lists.samba.org>:> Hai > > > > After my squid group adventure, i have a remaining question here. > > > > The problem was as followed. ( and this probely dont applie to squid > kerberos helpers only. ) > > > > samba-tool setup for squid i used, was as followed. > > > > samba-tool user create squid1-service --description="Unprivileged user for > SQUID1-Proxy Services" --random-password > > samba-tool user setexpiry squid1-service –noexpiry > > samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service > > > > Now this results in : > > My UPN was set to the username at internal.domain.tld ( as it should ). > > My SPN was set to HTTP/proxyserver.internal.domain.tld at REALM ( as is > should ) > > > > samba-tool spn list squid1-service > > squid1-service > > User CN=squid1-service,OU=Service-Accounts,OU=XXXX,DC=XXXXX,DC=XXXX,DC=XX > has the following servicePrincipalName: > > HTTP/proxy.internal.domain.tld > > HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD > > > > > > Sofare all ok, but It seems if you use a user as computer account, you > must change the UPN. > > And in this case i changed the UPN from username at internal.domain.tld to > : HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD > > Which was key to get the squid ext_kerberos_ldap_group_acl correctly > working. > >SPN must unique in AD because they are used in LDAP filter to search user account these SPN are linked to. When search a user the filter could be "(sAMAccountName=toto)" or "(userPrincipalName=toto_long_form at domain.tld)". This will return "toto" user LDAP object, as you know. Now, if my understanding is correct, when a service use SPN the LDAP filter will use that SPN to retrieve user object: "(serviceprincipalname=SERVICE/toto)". This, again, will retrieve toto LDAP user object. I noticed that playing months ago with Bind+DLZ SPNs. That said, your need to set UPN under SPN form seems to me the filter used by your Squid is not correct. Perhaps by default Squid uses UPN, perhaps there is an option in its configuration files to change that default behaviour (using UPN) to tell it to use SPN. Once Squid will look for SPN in its filters you should be able to remove SPN into UPN and set back a normal UPN for UPN (rather that SPN in UPN). Hoping that's clear... cheers : )> > > I hope this helps someone for something ;-) > > > > So my suggestions, add an option thats shows and can change the > UserPrincipalName from within samba-tool, would be great. > > Or did i miss this options somewhere? > > > > > > Greetz, > > > > Louis > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
And reading last mails comforts me in believing the filter used by client side to retrieve user is not correct, that filter should use SPN then you won't need to set up SPN into UPN field. 2016-08-30 15:55 GMT+02:00 mathias dufresne <infractory at gmail.com>:> Hi Louis, > > > 2016-08-29 16:18 GMT+02:00 L.P.H. van Belle via samba < > samba at lists.samba.org>: > >> Hai >> >> >> >> After my squid group adventure, i have a remaining question here. >> >> >> >> The problem was as followed. ( and this probely dont applie to squid >> kerberos helpers only. ) >> >> >> >> samba-tool setup for squid i used, was as followed. >> >> >> >> samba-tool user create squid1-service --description="Unprivileged user >> for SQUID1-Proxy Services" --random-password >> >> samba-tool user setexpiry squid1-service –noexpiry >> >> samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service >> >> >> >> Now this results in : >> >> My UPN was set to the username at internal.domain.tld ( as it should ). >> >> My SPN was set to HTTP/proxyserver.internal.domain.tld at REALM ( as is >> should ) >> >> >> >> samba-tool spn list squid1-service >> >> squid1-service >> >> User CN=squid1-service,OU=Service-Accounts,OU=XXXX,DC=XXXXX,DC=XXXX,DC=XX >> has the following servicePrincipalName: >> >> HTTP/proxy.internal.domain.tld >> >> HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD >> >> >> >> >> >> Sofare all ok, but It seems if you use a user as computer account, you >> must change the UPN. >> >> And in this case i changed the UPN from username at internal.domain.tld to >> : HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD >> >> Which was key to get the squid ext_kerberos_ldap_group_acl correctly >> working. >> >> > SPN must unique in AD because they are used in LDAP filter to search user > account these SPN are linked to. > > When search a user the filter could be "(sAMAccountName=toto)" or > "(userPrincipalName=toto_long_form at domain.tld)". This will return "toto" > user LDAP object, as you know. > > Now, if my understanding is correct, when a service use SPN the LDAP > filter will use that SPN to retrieve user object: "(serviceprincipalname=SERVICE/toto)". > This, again, will retrieve toto LDAP user object. > > I noticed that playing months ago with Bind+DLZ SPNs. > > That said, your need to set UPN under SPN form seems to me the filter used > by your Squid is not correct. Perhaps by default Squid uses UPN, perhaps > there is an option in its configuration files to change that default > behaviour (using UPN) to tell it to use SPN. > > Once Squid will look for SPN in its filters you should be able to remove > SPN into UPN and set back a normal UPN for UPN (rather that SPN in UPN). > > Hoping that's clear... cheers : ) > > >> >> >> I hope this helps someone for something ;-) >> >> >> >> So my suggestions, add an option thats shows and can change the >> UserPrincipalName from within samba-tool, would be great. >> >> Or did i miss this options somewhere? >> >> >> >> >> >> Greetz, >> >> >> >> Louis >> >> >> >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >