[Samba] Compatibility With PaloAlto User Identification

ralph strebbing blackbirdralph at gmail.com
Fri Feb 25 15:47:52 UTC 2022

On Wed, Feb 16, 2022 at 1:40 PM ralph strebbing
<blackbirdralph at gmail.com> wrote:
> Continuing on with what I'm running into, just ensuring there is no other configuration needed on Samba:
> Is there any configuration needed to ensure Kerberos v5 SSO is supported and operating properly? Or is that mostly a client thing (e.g the firewall) with the only requirement being that the Kerberos TGS is operating.
Wanted to update the group, I did get this figured out. It has more to
do with the arguments passed when running exportkeytab. (See example
So at least with PaloAlto Firewalls, to add a compatible SPN and
export a keytab the following must be done:
1. Create a service user, ensure it is in the Users OU, and does NOT
have Domain Admin, set a password. (fwuser in this example)
2. Create the SPN (samba-tool spn add HTTP/<FQDN of Firewall> <service
user from step 1>
3. Export the keytab: `samba-tool domain export keytab <filename>
--password=<serviceuserpassword> -U <service user>
--principal=HTTP/<FQDN of Firewall>`

The exported file was accepted by the firewall, and once the browser
has been configured to allow Kerberos SSO, the redirect into the
firewall works and authenticates correctly!

More information about the samba mailing list