[Samba] Compatibility With PaloAlto User Identification

Rowland Penny rpenny at samba.org
Wed Feb 16 17:17:52 UTC 2022

On Wed, 2022-02-16 at 11:25 -0500, ralph strebbing via samba wrote:
> On Tue, Feb 15, 2022 at 3:18 PM Andrew Bartlett <abartlet at samba.org>
> wrote:
> > samba-tool domain exportkeyab is your friend, running on the
> > DC.  Just
> > specify the SPN you need to export, otherwise you will export the
> > whole
> > domain.  Check with ktutil.
> I feel a bit silly. So I've gone ahead and run the following commands
> as I've gathered they needed adapted from the windows commands given
> in the link posted before;
> samba-tool spn add HTTP/gw.domain.com at DOMAIN.COM fwuser
> The last piece there is the service user I've created for the
> firewall.
> Then I ran:
> samba-tool domain exportkeytab gw.keytab --principal=fwuser
> When I attempted to import the keytab into the firewall however, I
> was
> presented with the following error:
> "service principal name "fwuser" is not allowed (not start with
> HTTP)"

I think you have run into the problem that SPN's have to be unique and
if 'gw.domain.com' is joined to the domain it will have the SPN
'HOST/gw.domain.com' which also has the alias 'HTTP/gw.domain.com'.

Try reading this thread:


More information about the samba mailing list