[Samba] Compatibility With PaloAlto User Identification

Andrew Bartlett abartlet at samba.org
Tue Feb 15 20:18:06 UTC 2022


On Tue, 2022-02-15 at 15:12 -0500, ralph strebbing wrote:
> On Tue, Feb 15, 2022 at 1:37 AM Andrew Bartlett <abartlet at samba.org> wrote:
> > If you get that working, I would love to see a wiki page describing the
> > arrangement so we can help others with similar devices.
> A way that I'm going to try getting this working is to use the
> Kerberos approach by getting Kerberos v5 SSO set up. The thing I'm
> hung up on right now is getting the keytab generated properly.
> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-kerberos-single-sign-on.html
> The above link describes the commands to run on a windows DC, how
> should those translate for Samba?

samba-tool domain exportkeyab is your friend, running on the DC.  Just
specify the SPN you need to export, otherwise you will export the whole
domain.  Check with ktutil.

Andrew Bartlett


-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba




More information about the samba mailing list