no thats not it samba-tool does not set upn but msktutil does set the upn. So an option for samba-tool to set upn would be nice... Greetz Louis> Op 28 dec. 2016 om 18:38 heeft Rowland Penny via samba <samba at lists.samba.org> het volgende geschreven: > > On Wed, 28 Dec 2016 17:05:39 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > >> No its a misconfiguration somewhere. >> Squid works fine i have it all running. >> Took me some time to understand things but it works fine now. >> >> See the list links.. >> >> Greetz, >> >> Louis > > OK, I have been looking into this and it seems that squid wants a UPN > like 'HTTP/proxy02.example.com'. The only problem is, (in my > opinion), that is an SPN, so, I repeat, squid is broken. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Thu, 29 Dec 2016 09:25:20 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> no thats not it > > samba-tool does not set upn but msktutil does set the upn. > > So an option for samba-tool to set upn would be nice... > > > Greetz > > LouisYes it is !! From my point of view, squid is expecting an SPN, but seems to accept a UPN. Have you tried using the machine account and adding an SPN to that ? Rowland
Hai Rowland, Simply put, - UPN: An entity performing client requests to some service. Entity may be human or machine. Source : https://msdn.microsoft.com/en-us/library/windows/desktop/ms721629(v=vs.85).aspx#_security_user_principal_name_gly - SPN: An entity processing requests for a specific service, e.g., HTTP, LDAP, SSH, etc. Entity is Machine only. Source: https://msdn.microsoft.com/en-us/library/windows/desktop/ms721625(v=vs.85).aspx#_security_service_principal_name_gly And normaly a UPN retrieves a service ticket for an SPN to use that actual service. Now how is this a squid problem if samba-tool does not give the options to set an UPN to the machine also. But this is mainly a Windows KDC and Unix KDC difference but still. Resulting that in windows terms we need to set the SPN to a machine UPN. Which is always: namehostname$@REALM Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via > samba > Verzonden: donderdag 29 december 2016 11:27 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Error with samba update in debian. > > On Thu, 29 Dec 2016 09:25:20 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > no thats not it > > > > samba-tool does not set upn but msktutil does set the upn. > > > > So an option for samba-tool to set upn would be nice... > > > > > > Greetz > > > > Louis > > Yes it is !! > > From my point of view, squid is expecting an SPN, but seems to accept > a UPN. Have you tried using the machine account and adding an SPN to > that ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Fri, 30 Dec 2016 10:10:07 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai Rowland, > > Simply put, > > - UPN: An entity performing client requests to some service. > Entity may be human or machine. > Source : > https://msdn.microsoft.com/en-us/library/windows/desktop/ms721629(v=vs.85).aspx#_security_user_principal_name_gly > > > - SPN: An entity processing requests for a specific service, e.g., > HTTP, LDAP, SSH, etc. Entity is Machine only. > Source: > https://msdn.microsoft.com/en-us/library/windows/desktop/ms721625(v=vs.85).aspx#_security_service_principal_name_gly > > And normaly a UPN retrieves a service ticket for an SPN to use that > actual service. > > Now how is this a squid problem if samba-tool does not give the > options to set an UPN to the machine also. But this is mainly a > Windows KDC and Unix KDC difference but still. > > Resulting that in windows terms we need to set the SPN to a machine > UPN. Which is always: namehostname$@REALM >Quite right, it isn't really a squid problem. Since then, I have taken a look at the squid code and I cannot find a mention of UPN, but there are lots of SPN references. If you look here: https://msdn.microsoft.com/en-us/library/ms680857%28v=vs.85%29.aspx You will find this: By convention, this should map to the user email name. So by using a UPN instead of an SPN, you are potentially breaking something. Rowland