[Samba] Compatibility With PaloAlto User Identification

Andrew Bartlett abartlet at samba.org
Tue Feb 15 20:18:06 UTC 2022

On Tue, 2022-02-15 at 15:12 -0500, ralph strebbing wrote:
> On Tue, Feb 15, 2022 at 1:37 AM Andrew Bartlett <abartlet at samba.org> wrote:
> > If you get that working, I would love to see a wiki page describing the
> > arrangement so we can help others with similar devices.
> A way that I'm going to try getting this working is to use the
> Kerberos approach by getting Kerberos v5 SSO set up. The thing I'm
> hung up on right now is getting the keytab generated properly.
> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-kerberos-single-sign-on.html
> The above link describes the commands to run on a windows DC, how
> should those translate for Samba?

samba-tool domain exportkeyab is your friend, running on the DC.  Just
specify the SPN you need to export, otherwise you will export the whole
domain.  Check with ktutil.

Andrew Bartlett

Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba

More information about the samba mailing list