[Samba] Compatibility With PaloAlto User Identification

Rowland Penny rpenny at samba.org
Wed Feb 16 18:00:31 UTC 2022


On Wed, 2022-02-16 at 12:52 -0500, ralph strebbing wrote:
> On Wed, Feb 16, 2022 at 12:18 PM Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> > I think you have run into the problem that SPN's have to be unique
> > and
> > if 'gw.domain.com' is joined to the domain it will have the SPN
> > 'HOST/gw.domain.com' which also has the alias 'HTTP/gw.domain.com'.
> > 
> > Try reading this thread:
> > https://lists.samba.org/archive/samba/2021-November/238694.html
> Going through the posts there, I was able to export a keytab that
> specifies the principal HTTP/gw.domain.com at DOMAIN.COM
> Now how would I go about exporting the password into the keytab (as
> it
> seems the firewall wants)?
> The command on windows that I was able to piece together is:
> ktpass /princ HTTP/gw.domain.com at DOMAIN.COM /mapuser DOMAIN\fwuser
> /pass plaintextpasswd /out gw.keytab /ptype KRB5_NT_PRINCIPAL /crypto
> RC4-HMAC-NT
> At this point, the following have args have been successfully figured
> out (I think) with the samba-tool domain exportkeytab command:
> /princ HTTP/gw.domain.com at DOMAIN.COM
> Not sure about the usermapping (/mapuser DOMAIN\fwuser)
> 
> So what would be next as far as passing the password into the file,
> setting the ptype to KRB5_NT_PRINCIPAL (Assuming that this isn't a
> default), and setting the encryption?
> 
> Thanks,
> Ralph

Did you create the user 'fwuser' with a password ?

Rowland





More information about the samba mailing list