Rowland Penny
2022-Feb-16 18:00 UTC
[Samba] Compatibility With PaloAlto User Identification
On Wed, 2022-02-16 at 12:52 -0500, ralph strebbing wrote:> On Wed, Feb 16, 2022 at 12:18 PM Rowland Penny via samba > <samba at lists.samba.org> wrote: > > I think you have run into the problem that SPN's have to be unique > > and > > if 'gw.domain.com' is joined to the domain it will have the SPN > > 'HOST/gw.domain.com' which also has the alias 'HTTP/gw.domain.com'. > > > > Try reading this thread: > > https://lists.samba.org/archive/samba/2021-November/238694.html > Going through the posts there, I was able to export a keytab that > specifies the principal HTTP/gw.domain.com at DOMAIN.COM > Now how would I go about exporting the password into the keytab (as > it > seems the firewall wants)? > The command on windows that I was able to piece together is: > ktpass /princ HTTP/gw.domain.com at DOMAIN.COM /mapuser DOMAIN\fwuser > /pass plaintextpasswd /out gw.keytab /ptype KRB5_NT_PRINCIPAL /crypto > RC4-HMAC-NT > At this point, the following have args have been successfully figured > out (I think) with the samba-tool domain exportkeytab command: > /princ HTTP/gw.domain.com at DOMAIN.COM > Not sure about the usermapping (/mapuser DOMAIN\fwuser) > > So what would be next as far as passing the password into the file, > setting the ptype to KRB5_NT_PRINCIPAL (Assuming that this isn't a > default), and setting the encryption? > > Thanks, > RalphDid you create the user 'fwuser' with a password ? Rowland