Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] set UPN / SPN from samba-tool.
988 views
Skip to first unread message
L.P.H. van Belle via samba
Aug 29, 2016, 10:30:03 AM8/29/16
to
Hai
After my squid group adventure, i have a remaining question here.
The problem was as followed. ( and this probely dont applie to squid kerberos helpers only. )
samba-tool setup for squid i used, was as followed.
samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password
samba-tool user setexpiry squid1-service –noexpiry
samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service
Now this results in :
My UPN was set to the user...@internal.domain.tld ( as it should ).
My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should )
samba-tool spn list squid1-service
squid1-service
User CN=squid1-service,OU=Service-Accounts,OU=XXXX,DC=XXXXX,DC=XXXX,DC=XX has the following servicePrincipalName:
HTTP/proxy.internal.domain.tld
HTTP/proxy.intern...@YOUR.REALM.TLD
Sofare all ok, but It seems if you use a user as computer account, you must change the UPN.
And in this case i changed the UPN from user...@internal.domain.tld to : HTTP/proxy.intern...@YOUR.REALM.TLD
Which was key to get the squid ext_kerberos_ldap_group_acl correctly working.
I hope this helps someone for something ;-)
So my suggestions, add an option thats shows and can change the UserPrincipalName from within samba-tool, would be great.
Or did i miss this options somewhere?
Greetz,
Louis
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
After my squid group adventure, i have a remaining question here.
The problem was as followed. ( and this probely dont applie to squid kerberos helpers only. )
samba-tool setup for squid i used, was as followed.
samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password
samba-tool user setexpiry squid1-service –noexpiry
samba-tool spn add HTTP/proxy.internal.domain.tld squid1-service
Now this results in :
My UPN was set to the user...@internal.domain.tld ( as it should ).
My SPN was set to HTTP/proxyserver.internal.domain.tld@REALM ( as is should )
samba-tool spn list squid1-service
squid1-service
User CN=squid1-service,OU=Service-Accounts,OU=XXXX,DC=XXXXX,DC=XXXX,DC=XX has the following servicePrincipalName:
HTTP/proxy.internal.domain.tld
HTTP/proxy.intern...@YOUR.REALM.TLD
Sofare all ok, but It seems if you use a user as computer account, you must change the UPN.
And in this case i changed the UPN from user...@internal.domain.tld to : HTTP/proxy.intern...@YOUR.REALM.TLD
Which was key to get the squid ext_kerberos_ldap_group_acl correctly working.
I hope this helps someone for something ;-)
So my suggestions, add an option thats shows and can change the UserPrincipalName from within samba-tool, would be great.
Or did i miss this options somewhere?
Greetz,
Louis
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger via samba
Aug 29, 2016, 11:10:03 AM8/29/16
to
Aint't it sufficient to export only the http SPN into an keytab file an
pass that top squid?
How did you change the UPN?
achim~
L.P.H. van Belle via samba
Aug 29, 2016, 11:20:03 AM8/29/16
to
No,
That was not sufficient, i had to use the windows tool to change it.
The is the explanation from the developer of squid helper.
/snap
I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is.
Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference.
/snap.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
That was not sufficient, i had to use the windows tool to change it.
The is the explanation from the developer of squid helper.
/snap
I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is.
Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference.
/snap.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
L.P.H. van Belle via samba
Aug 29, 2016, 1:50:03 PM8/29/16
to
hello Achim,
yes, if you change the
userPrincipalName LDAP attributethats suffient, thats what i changed through the windows tool.
greetz,
Louis
Op 29 aug. 2016 om 19:42 heeft Achim Gottinger via samba <sa...@lists.samba.org> het volgende geschreven:
Am 29.08.2016 um 17:17 schrieb L.P.H. van Belle via samba:
No,
That was not sufficient, i had to use the windows tool to change it.
The is the explanation from the developer of squid helper.
/snap
I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is.
Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference.
/snap.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Hello Louis,
Aint't it sufficient to export only the http SPN into an keytab file an
pass that top squid?
How did you change the UPN?
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I always understood SPN's act like aliases for the UPN so that
explanation ist abit odd.
Is it sufficient to change the userPrincipalName LDAP attribute of the
user account? That would work on the linux side.
yes, if you change the
userPrincipalName LDAP attributethats suffient, thats what i changed through the windows tool.
greetz,
Louis
Op 29 aug. 2016 om 19:42 heeft Achim Gottinger via samba <sa...@lists.samba.org> het volgende geschreven:
Am 29.08.2016 um 17:17 schrieb L.P.H. van Belle via samba:
No,
That was not sufficient, i had to use the windows tool to change it.
The is the explanation from the developer of squid helper.
/snap
I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is.
Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference.
/snap.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Hello Louis,
Aint't it sufficient to export only the http SPN into an keytab file an
pass that top squid?
How did you change the UPN?
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
explanation ist abit odd.
Is it sufficient to change the userPrincipalName LDAP attribute of the
user account? That would work on the linux side.
Achim Gottinger via samba
Aug 29, 2016, 1:50:03 PM8/29/16
to
Am 29.08.2016 um 17:17 schrieb L.P.H. van Belle via samba:
> No,
>
> That was not sufficient, i had to use the windows tool to change it.
>
> The is the explanation from the developer of squid helper.
> /snap
> I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is.
>
> Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference.
> /snap.
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Hello Louis,
>>
>> Aint't it sufficient to export only the http SPN into an keytab file an
>> pass that top squid?
>> How did you change the UPN?
>>
>> achim~
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> That was not sufficient, i had to use the windows tool to change it.
>
> The is the explanation from the developer of squid helper.
> /snap
> I would say they are bugs. The first “issue” is as you say more about understanding the difference between UPN and SPN and how the tools use them. The helper tries to “authenticate” squid to AD as a user with the found SPN name, so the UPN must be the same as the SPN. There is no easy way to query what the UPN for the SPN is.
>
> Also msktutil (my preferred tool) creates a machine account not a user account in AD. The reason I prefer this is that often user accounts have a global password policy e.g. change every 60 days otherwise it will be locked. machine accounts do not have that limitation. But as I said it is just my preference.
> /snap.
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Hello Louis,
>>
>> Aint't it sufficient to export only the http SPN into an keytab file an
>> pass that top squid?
>> How did you change the UPN?
>>
>> achim~
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
I always understood SPN's act like aliases for the UPN so that
explanation ist abit odd.
Is it sufficient to change the userPrincipalName LDAP attribute of the
user account? That would work on the linux side.
explanation ist abit odd.
Is it sufficient to change the userPrincipalName LDAP attribute of the
user account? That would work on the linux side.
Achim Gottinger via samba
Aug 29, 2016, 3:30:03 PM8/29/16
to
Am 29.08.2016 um 19:46 schrieb L.P.H. van Belle via samba:
> hello Achim,
>
>
> yes, if you change the
> userPrincipalName LDAP attributethats suffient, thats what i changed through the windows tool.
>
>
> greetz,
>
>
> Louis
>
>
attribute belongs to the user class and machine accounts use that class.
mathias dufresne via samba
Aug 30, 2016, 10:00:02 AM8/30/16
to
Hi Louis,
2016-08-29 16:18 GMT+02:00 L.P.H. van Belle via samba <sa...@lists.samba.org
>:
SPN must unique in AD because they are used in LDAP filter to search user
account these SPN are linked to.
When search a user the filter could be "(sAMAccountName=toto)" or
"(userPrincipalName=toto_lo...@domain.tld)". This will return "toto"
user LDAP object, as you know.
Now, if my understanding is correct, when a service use SPN the LDAP filter
will use that SPN to retrieve user object:
"(serviceprincipalname=SERVICE/toto)". This, again, will retrieve toto LDAP
user object.
I noticed that playing months ago with Bind+DLZ SPNs.
That said, your need to set UPN under SPN form seems to me the filter used
by your Squid is not correct. Perhaps by default Squid uses UPN, perhaps
there is an option in its configuration files to change that default
behaviour (using UPN) to tell it to use SPN.
Once Squid will look for SPN in its filters you should be able to remove
SPN into UPN and set back a normal UPN for UPN (rather that SPN in UPN).
Hoping that's clear... cheers : )
2016-08-29 16:18 GMT+02:00 L.P.H. van Belle via samba <sa...@lists.samba.org
>:
account these SPN are linked to.
When search a user the filter could be "(sAMAccountName=toto)" or
"(userPrincipalName=toto_lo...@domain.tld)". This will return "toto"
user LDAP object, as you know.
Now, if my understanding is correct, when a service use SPN the LDAP filter
will use that SPN to retrieve user object:
"(serviceprincipalname=SERVICE/toto)". This, again, will retrieve toto LDAP
user object.
I noticed that playing months ago with Bind+DLZ SPNs.
That said, your need to set UPN under SPN form seems to me the filter used
by your Squid is not correct. Perhaps by default Squid uses UPN, perhaps
there is an option in its configuration files to change that default
behaviour (using UPN) to tell it to use SPN.
Once Squid will look for SPN in its filters you should be able to remove
SPN into UPN and set back a normal UPN for UPN (rather that SPN in UPN).
Hoping that's clear... cheers : )
mathias dufresne via samba
Aug 30, 2016, 10:00:03 AM8/30/16
to
And reading last mails comforts me in believing the filter used by client
side to retrieve user is not correct, that filter should use SPN then you
won't need to set up SPN into UPN field.
side to retrieve user is not correct, that filter should use SPN then you
won't need to set up SPN into UPN field.
Rowland Penny via samba
Aug 30, 2016, 10:20:03 AM8/30/16
to
On Tue, 30 Aug 2016 15:58:13 +0200
mathias dufresne via samba <sa...@lists.samba.org> wrote:
> And reading last mails comforts me in believing the filter used by
> client side to retrieve user is not correct, that filter should use
> SPN then you won't need to set up SPN into UPN field.
>
I think the problem is the way Louis is creating the SPN, all the info
mathias dufresne via samba <sa...@lists.samba.org> wrote:
> And reading last mails comforts me in believing the filter used by
> client side to retrieve user is not correct, that filter should use
> SPN then you won't need to set up SPN into UPN field.
>
I have found on the internet, seems to assume you will use a computer
account and not a user account.
Even Squids own page tells you to use a computer account:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
Rowland
mathias dufresne via samba
Aug 30, 2016, 10:30:03 AM8/30/16
to
2016-08-30 16:10 GMT+02:00 Rowland Penny via samba <sa...@lists.samba.org>:
> On Tue, 30 Aug 2016 15:58:13 +0200
> mathias dufresne via samba <sa...@lists.samba.org> wrote:
>
> > And reading last mails comforts me in believing the filter used by
> > client side to retrieve user is not correct, that filter should use
> > SPN then you won't need to set up SPN into UPN field.
> >
>
> I think the problem is the way Louis is creating the SPN, all the info
> I have found on the internet, seems to assume you will use a computer
> account and not a user account.
>
> Even Squids own page tells you to use a computer account:
>
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/
> WindowsActiveDirectory
>
> Rowland
>
>
> Hi Rowland,
> On Tue, 30 Aug 2016 15:58:13 +0200
> mathias dufresne via samba <sa...@lists.samba.org> wrote:
>
> > And reading last mails comforts me in believing the filter used by
> > client side to retrieve user is not correct, that filter should use
> > SPN then you won't need to set up SPN into UPN field.
> >
>
> I think the problem is the way Louis is creating the SPN, all the info
> I have found on the internet, seems to assume you will use a computer
> account and not a user account.
>
> Even Squids own page tells you to use a computer account:
>
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/
> WindowsActiveDirectory
>
> Rowland
>
>
As DNS back end when configured to use Bind+DLZ is authenticating DNS user
(dns-<DCname>) using SPN, as this user do not have objectclass "computer"
set, I would say we can create user which are not computer with SPN. Don't
you agree?
Rowland Penny via samba
Aug 30, 2016, 11:00:04 AM8/30/16
to
On Tue, 30 Aug 2016 16:25:03 +0200
mathias dufresne <infra...@gmail.com> wrote:
> 2016-08-30 16:10 GMT+02:00 Rowland Penny via samba
> <sa...@lists.samba.org>:
>
> > On Tue, 30 Aug 2016 15:58:13 +0200
> > mathias dufresne via samba <sa...@lists.samba.org> wrote:
> >
> > > And reading last mails comforts me in believing the filter used by
> > > client side to retrieve user is not correct, that filter should
> > > use SPN then you won't need to set up SPN into UPN field.
> > >
> >
> > I think the problem is the way Louis is creating the SPN, all the
> > info I have found on the internet, seems to assume you will use a
> > computer account and not a user account.
> >
> > Even Squids own page tells you to use a computer account:
> >
> > http://wiki.squid-cache.org/ConfigExamples/Authenticate/
> > WindowsActiveDirectory
> >
> > Rowland
> >
> >
> > Hi Rowland,
>
> As DNS back end when configured to use Bind+DLZ is authenticating DNS
> user (dns-<DCname>) using SPN, as this user do not have objectclass
> "computer" set, I would say we can create user which are not computer
> with SPN. Don't you agree?
Yes of course you can, but Louis is changing the users UPN into an SPN
mathias dufresne <infra...@gmail.com> wrote:
> 2016-08-30 16:10 GMT+02:00 Rowland Penny via samba
> <sa...@lists.samba.org>:
>
> > On Tue, 30 Aug 2016 15:58:13 +0200
> > mathias dufresne via samba <sa...@lists.samba.org> wrote:
> >
> > > And reading last mails comforts me in believing the filter used by
> > > client side to retrieve user is not correct, that filter should
> > > use SPN then you won't need to set up SPN into UPN field.
> > >
> >
> > I think the problem is the way Louis is creating the SPN, all the
> > info I have found on the internet, seems to assume you will use a
> > computer account and not a user account.
> >
> > Even Squids own page tells you to use a computer account:
> >
> > http://wiki.squid-cache.org/ConfigExamples/Authenticate/
> > WindowsActiveDirectory
> >
> > Rowland
> >
> >
> > Hi Rowland,
>
> As DNS back end when configured to use Bind+DLZ is authenticating DNS
> user (dns-<DCname>) using SPN, as this user do not have objectclass
> "computer" set, I would say we can create user which are not computer
> with SPN. Don't you agree?
in all but name.
Rowland
L.P.H. van Belle via samba
Aug 30, 2016, 11:30:02 AM8/30/16
to
> > > Hi Rowland,
> >
> > As DNS back end when configured to use Bind+DLZ is authenticating DNS
> > user (dns-<DCname>) using SPN, as this user do not have objectclass
> > "computer" set, I would say we can create user which are not computer
> > with SPN. Don't you agree?
>
> Yes of course you can, but Louis is changing the users UPN into an SPN
> in all but name.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Yes, since this only "user" is not a real user..
> >
> > As DNS back end when configured to use Bind+DLZ is authenticating DNS
> > user (dns-<DCname>) using SPN, as this user do not have objectclass
> > "computer" set, I would say we can create user which are not computer
> > with SPN. Don't you agree?
>
> Yes of course you can, but Louis is changing the users UPN into an SPN
> in all but name.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
The way i did setup is like a windows MSA (Managed Service Account) or Virtual account.
So why i mailed to samba list...
It can happen that we need to change the UPN..
There 3 ways in this to setup where we are talking about.
Its major off topic for samba, so i'll explain for the last time.
1) setup as shown in that wiki link:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
Which >> i << dont like because of the use of msktutil.
And which is not include in debian, and needs a setup in cron to refresh the keytab etc, lots of point of failure,
Ive tried the msktutil also years ago, i just didnt like it, had to many problems with it.
2) creating a user account, which you can use for services.
As i did, which works fine.
What i did here, was i added 2 SPN's in the account for 2 different proxy servers. Which worked fine also, but the company needed some group filtering.
Which needed a change in the setup. For the group filtering,
which wasnt implemented jet with kerberos, it tested the ldap group already, worked also but its nice to use one type of auth.
While testing this, i detected something off..
with ext_kerberos_ldap_group_acl only, not squid.
3) and my next install, which is in my oppinion is the best for me, since i use only debian packages.
Use (samba) winbind to add the computer account and add there whats needed and setup the UPN/SPN's per server.
Pffew..
Everybody happing,.. i am..
Greetz,
Louis
0 new messages