[Samba] Compatibility With PaloAlto User Identification

ralph strebbing blackbirdralph at gmail.com
Wed Feb 16 16:25:19 UTC 2022

On Tue, Feb 15, 2022 at 3:18 PM Andrew Bartlett <abartlet at samba.org> wrote:
> samba-tool domain exportkeyab is your friend, running on the DC.  Just
> specify the SPN you need to export, otherwise you will export the whole
> domain.  Check with ktutil.
I feel a bit silly. So I've gone ahead and run the following commands
as I've gathered they needed adapted from the windows commands given
in the link posted before;
samba-tool spn add HTTP/gw.domain.com at DOMAIN.COM fwuser
The last piece there is the service user I've created for the firewall.
Then I ran:
samba-tool domain exportkeytab gw.keytab --principal=fwuser

When I attempted to import the keytab into the firewall however, I was
presented with the following error:
"service principal name "fwuser" is not allowed (not start with HTTP)"

This is where I was getting hung up, and I presume something declared
in the PaloAlto docs indicates how the file/spn is formatted. But I'm
not sure how that needs to translate to the samba commands (if


More information about the samba mailing list