Howto create an account for external authentication through Kerberos

Use the existing script create_spn_account.sh. With the below commandline it will create a UCS user called krbauth_ext and map this user to the HTTP-principal name extapp.intranet.multi.ucs and create the keytab extapp.keytab which can be copied to the external service.

/usr/share/univention-samba4/scripts/create_spn_account.sh --samaccountname krbauth_ext --serviceprincipalname "HTTP/extapp.intranet.multi.ucs" --privatekeytab extapp.keytab

You will find the private keytab file at /var/lib/samba/private/extapp.keytab

In case you need the assigned password please be aware to NOT change it for the user account (i.e. through udmoder ldapmodify) as it would not match the keytab any longer. Instead you can read the password with the following command from secrets.ldb:

root@master:~ # ldbsearch -H /var/lib/samba/private/secrets.ldb "samaccountname=krbauth_ext" secret