[Samba] Compatibility With PaloAlto User Identification

ralph strebbing blackbirdralph at gmail.com
Wed Feb 16 17:52:34 UTC 2022

On Wed, Feb 16, 2022 at 12:18 PM Rowland Penny via samba
<samba at lists.samba.org> wrote:
> I think you have run into the problem that SPN's have to be unique and
> if 'gw.domain.com' is joined to the domain it will have the SPN
> 'HOST/gw.domain.com' which also has the alias 'HTTP/gw.domain.com'.
> Try reading this thread:
> https://lists.samba.org/archive/samba/2021-November/238694.html
Going through the posts there, I was able to export a keytab that
specifies the principal HTTP/gw.domain.com at DOMAIN.COM
Now how would I go about exporting the password into the keytab (as it
seems the firewall wants)?
The command on windows that I was able to piece together is:
ktpass /princ HTTP/gw.domain.com at DOMAIN.COM /mapuser DOMAIN\fwuser
/pass plaintextpasswd /out gw.keytab /ptype KRB5_NT_PRINCIPAL /crypto
At this point, the following have args have been successfully figured
out (I think) with the samba-tool domain exportkeytab command:
/princ HTTP/gw.domain.com at DOMAIN.COM
Not sure about the usermapping (/mapuser DOMAIN\fwuser)

So what would be next as far as passing the password into the file,
setting the ptype to KRB5_NT_PRINCIPAL (Assuming that this isn't a
default), and setting the encryption?


More information about the samba mailing list