[Samba] set UPN / SPN from samba-tool.

Achim Gottinger achim at ag-web.biz
Mon Aug 29 17:41:23 UTC 2016



Am 29.08.2016 um 17:17 schrieb L.P.H. van Belle via samba:
> No,
>
> That was not sufficient, i had to use the windows tool to change it.
>
> The is the explanation from the developer of squid helper.
> /snap
> I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them.  The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN.  There is no easy way to query what the UPN for the SPN is.
>
> Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference.
> /snap.
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Hello Louis,
>>
>> Aint't it sufficient to export only the http SPN into an keytab file an
>> pass that top squid?
>> How did you change the UPN?
>>
>> achim~
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
I always understood SPN's act like aliases for the UPN so that 
explanation ist abit odd.
Is it sufficient to change the userPrincipalName LDAP attribute of the 
user account? That would work on the linux side.




More information about the samba mailing list