[Samba] set UPN / SPN from samba-tool.

L.P.H. van Belle belle at bazuin.nl
Tue Aug 30 15:21:02 UTC 2016 

> > > Hi Rowland,
> >
> > As DNS back end when configured to use Bind+DLZ is authenticating DNS
> > user (dns-<DCname>) using SPN, as this user do not have objectclass
> > "computer" set, I would say we can create user which are not computer
> > with SPN. Don't you agree?
> 
> Yes of course you can, but Louis is changing the users UPN into an SPN
> in all but name.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Yes, since this only "user" is not a real user..
The way i did setup is like a windows MSA (Managed Service Account) or Virtual account. 

So why i mailed to samba list... 
It can happen that we need to change the UPN.. 

There 3 ways in this to setup where we are talking about. 
Its major off topic for samba, so i'll explain for the last time. 

1) setup as shown in that wiki link: 
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

Which >> i << dont like because of the use of msktutil. 
And which is not include in debian, and needs a setup in cron to refresh the keytab etc, lots of point of failure,
Ive tried the msktutil also years ago, i just didnt like it, had to many problems with it. 

2) creating a user account, which you can use for services. 
As i did, which works fine. 
What i did here, was i added 2 SPN's in the account for 2 different proxy servers. Which worked fine also, but the company needed some group filtering. 
Which needed a change in the setup. For the group filtering, 
which wasnt implemented jet with kerberos, it tested the ldap group already, worked also but its nice to use one type of auth. 

While testing this, i detected something off.. 
with  ext_kerberos_ldap_group_acl only, not squid. 


3) and my next install, which is in my oppinion is the best for me, since i use only debian packages. 
Use (samba) winbind to add the computer account and add there whats needed and setup the UPN/SPN's per server.

Pffew.. 
 
Everybody happing,.. i am..  

Greetz, 

Louis

More information about the samba mailing list