[Samba] Compatibility With PaloAlto User Identification

Kees van Vloten keesvanvloten at gmail.com
Wed Feb 16 17:29:05 UTC 2022

On 16-02-2022 18:17, Rowland Penny via samba wrote:
> On Wed, 2022-02-16 at 11:25 -0500, ralph strebbing via samba wrote:
>> On Tue, Feb 15, 2022 at 3:18 PM Andrew Bartlett <abartlet at samba.org>
>> wrote:
>>> samba-tool domain exportkeyab is your friend, running on the
>>> DC.  Just
>>> specify the SPN you need to export, otherwise you will export the
>>> whole
>>> domain.  Check with ktutil.
>> I feel a bit silly. So I've gone ahead and run the following commands
>> as I've gathered they needed adapted from the windows commands given
>> in the link posted before;
>> samba-tool spn add HTTP/gw.domain.com at DOMAIN.COM fwuser
>> The last piece there is the service user I've created for the
>> firewall.
>> Then I ran:
>> samba-tool domain exportkeytab gw.keytab --principal=fwuser
>> When I attempted to import the keytab into the firewall however, I
>> was
>> presented with the following error:
>> "service principal name "fwuser" is not allowed (not start with
>> HTTP)"
> I think you have run into the problem that SPN's have to be unique and
> if 'gw.domain.com' is joined to the domain it will have the SPN
> 'HOST/gw.domain.com' which also has the alias 'HTTP/gw.domain.com'.
> Try reading this thread:
> https://lists.samba.org/archive/samba/2021-November/238694.html
> Rowland
Or this one perhaps?


- Kees

More information about the samba mailing list