[Samba] added spn and exported keytab not match

Rowland Penny rpenny at samba.org
Thu Nov 30 10:00:29 UTC 2017


On Thu, 30 Nov 2017 11:11:27 +0400
Mike Lykov via samba <samba at lists.samba.org> wrote:

> Hello All.
> 
> I am using Samba AD DC and Linux server with Squid, and
> I try to configure kerberos authentication for proxy server users.
> I need to add SPN for user and then export keytab with it to file.
> 
> I am add user with RSAT and add SPN for it with samba-tool (like 
> https://wiki.samba.org/index.php/Generating_Keytabs):
> --------------------
> root at ad41:/# samba-tool spn list proxy
> proxy
> User CN=proxy,CN=Users,DC=dc,DC=S****,DC=ru has the following 
> servicePrincipalName:
>           HTTP/proxy.S****.ru at DC.S****.RU
>           host/proxy.S****.ru at DC.S****.RU

I am not an expert on squid by any means, but you seem to be adding
SPNs meant for a computer account to a user account i.e.
'proxy.S****.ru' would be a FQDN.
Also, the 'S****.ru' should 'dc.s****.ru'

I think you are going to have to wait until Louis gets over the flu, he
is the expert on squid ;-)

Rowland





More information about the samba mailing list