[Samba] set UPN / SPN from samba-tool.
Achim Gottinger
achim at ag-web.biz
Mon Aug 29 15:06:32 UTC 2016
Am 29.08.2016 um 16:18 schrieb L.P.H. van Belle via samba:
> Hai
>
>
>
> After my squid group adventure, i have a remaining question here.
>
>
>
> The problem was as followed. ( and this probely dont applie to squid kerberos helpers only. )
>
>
>
> samba-tool setup for squid i used, was as followed.
>
>
>
> samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password
>
> samba-tool user setexpiry squid1-service –noexpiry
>
> samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service
>
>
>
> Now this results in :
>
> My UPN was set to the username at internal.domain.tld ( as it should ).
>
> My SPN was set to HTTP/proxyserver.internal.domain.tld at REALM ( as is should )
>
>
>
> samba-tool spn list squid1-service
>
> squid1-service
>
> User CN=squid1-service,OU=Service-Accounts,OU=XXXX,DC=XXXXX,DC=XXXX,DC=XX has the following servicePrincipalName:
>
> HTTP/proxy.internal.domain.tld
>
> HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD
>
>
>
>
>
> Sofare all ok, but It seems if you use a user as computer account, you must change the UPN.
>
> And in this case i changed the UPN from username at internal.domain.tld to : HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD
>
> Which was key to get the squid ext_kerberos_ldap_group_acl correctly working.
>
>
>
> I hope this helps someone for something ;-)
>
>
>
> So my suggestions, add an option thats shows and can change the UserPrincipalName from within samba-tool, would be great.
>
> Or did i miss this options somewhere?
>
>
>
>
>
> Greetz,
>
>
>
> Louis
Hello Louis,
Aint't it sufficient to export only the http SPN into an keytab file an
pass that top squid?
How did you change the UPN?
achim~
More information about the samba
mailing list