[Samba] set UPN / SPN from samba-tool.
L.P.H. van Belle
belle at bazuin.nl
Mon Aug 29 14:18:41 UTC 2016
After my squid group adventure, i have a remaining question here.
The problem was as followed. ( and this probely dont applie to squid kerberos helpers only. )
samba-tool setup for squid i used, was as followed.
samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password
samba-tool user setexpiry squid1-service –noexpiry
samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service
Now this results in :
My UPN was set to the username at internal.domain.tld ( as it should ).
My SPN was set to HTTP/proxyserver.internal.domain.tld at REALM ( as is should )
samba-tool spn list squid1-service
User CN=squid1-service,OU=Service-Accounts,OU=XXXX,DC=XXXXX,DC=XXXX,DC=XX has the following servicePrincipalName:
HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD
Sofare all ok, but It seems if you use a user as computer account, you must change the UPN.
And in this case i changed the UPN from username at internal.domain.tld to : HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD
Which was key to get the squid ext_kerberos_ldap_group_acl correctly working.
I hope this helps someone for something ;-)
So my suggestions, add an option thats shows and can change the UserPrincipalName from within samba-tool, would be great.
Or did i miss this options somewhere?
More information about the samba