[Samba] set UPN / SPN from samba-tool.
mathias dufresne
infractory at gmail.com
Tue Aug 30 13:58:13 UTC 2016
And reading last mails comforts me in believing the filter used by client
side to retrieve user is not correct, that filter should use SPN then you
won't need to set up SPN into UPN field.
2016-08-30 15:55 GMT+02:00 mathias dufresne <infractory at gmail.com>:
> Hi Louis,
>
>
> 2016-08-29 16:18 GMT+02:00 L.P.H. van Belle via samba <
> samba at lists.samba.org>:
>
>> Hai
>>
>>
>>
>> After my squid group adventure, i have a remaining question here.
>>
>>
>>
>> The problem was as followed. ( and this probely dont applie to squid
>> kerberos helpers only. )
>>
>>
>>
>> samba-tool setup for squid i used, was as followed.
>>
>>
>>
>> samba-tool user create squid1-service --description="Unprivileged user
>> for SQUID1-Proxy Services" --random-password
>>
>> samba-tool user setexpiry squid1-service –noexpiry
>>
>> samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service
>>
>>
>>
>> Now this results in :
>>
>> My UPN was set to the username at internal.domain.tld ( as it should ).
>>
>> My SPN was set to HTTP/proxyserver.internal.domain.tld at REALM ( as is
>> should )
>>
>>
>>
>> samba-tool spn list squid1-service
>>
>> squid1-service
>>
>> User CN=squid1-service,OU=Service-Accounts,OU=XXXX,DC=XXXXX,DC=XXXX,DC=XX
>> has the following servicePrincipalName:
>>
>> HTTP/proxy.internal.domain.tld
>>
>> HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD
>>
>>
>>
>>
>>
>> Sofare all ok, but It seems if you use a user as computer account, you
>> must change the UPN.
>>
>> And in this case i changed the UPN from username at internal.domain.tld to
>> : HTTP/proxy.internal.domain.tld at YOUR.REALM.TLD
>>
>> Which was key to get the squid ext_kerberos_ldap_group_acl correctly
>> working.
>>
>>
> SPN must unique in AD because they are used in LDAP filter to search user
> account these SPN are linked to.
>
> When search a user the filter could be "(sAMAccountName=toto)" or
> "(userPrincipalName=toto_long_form at domain.tld)". This will return "toto"
> user LDAP object, as you know.
>
> Now, if my understanding is correct, when a service use SPN the LDAP
> filter will use that SPN to retrieve user object: "(serviceprincipalname=SERVICE/toto)".
> This, again, will retrieve toto LDAP user object.
>
> I noticed that playing months ago with Bind+DLZ SPNs.
>
> That said, your need to set UPN under SPN form seems to me the filter used
> by your Squid is not correct. Perhaps by default Squid uses UPN, perhaps
> there is an option in its configuration files to change that default
> behaviour (using UPN) to tell it to use SPN.
>
> Once Squid will look for SPN in its filters you should be able to remove
> SPN into UPN and set back a normal UPN for UPN (rather that SPN in UPN).
>
> Hoping that's clear... cheers : )
>
>
>>
>>
>> I hope this helps someone for something ;-)
>>
>>
>>
>> So my suggestions, add an option thats shows and can change the
>> UserPrincipalName from within samba-tool, would be great.
>>
>> Or did i miss this options somewhere?
>>
>>
>>
>>
>>
>> Greetz,
>>
>>
>>
>> Louis
>>
>>
>>
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
More information about the samba
mailing list