[Samba] Setup Samba as AD-DC with kerberos constrained delegation

[Puran Chand]

Hi All,

I have setup samba as Active Directory Domain Controller as per the steps
mentioned in wiki page

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

I have also setup squid proxy with kerberos auth on other machine as per
the steps mentioned on squid wiki page.

However I couldn't find any documentation to do a KCD setup.

Here are things I want to do
1. Setup Squid with kerberos auth
2. Create a service account in AD-DC for squid service as well as create a
service principal name for squid service.
3. Create few users and setup delegation for those users to
service-account/service-principal-name for squid service

I performed following steps:-
1. Added user using samba-tool user.
2. Joined the squid machine to AD-DC using "net ads join"
3. Added SPN using the command "samba-tool spn add HTTP/SQUID at DOMAIN
serviceAccount"

So far, I can get the TGT using my application but AD-DC do not issue TGS,
following error is received by application while requesting the service
ticket "gss_acquire_cred_impersonate_name: Generic error (see e-text)"

I am kind of blank here, I did tried few steps using "samba-tool
delegation" and "samba-tool spn" commands but those got me no where.

It would be great if one can list out the steps/samba-tool commands to
setup delegation for squid service using service account.

Thanks
-Puran