QA: Kerberos Authentication and External Trusts in UCS Domains

Introduction

In multi-domain environments that combine UCS (Univention Corporate Server) with Microsoft Active Directory (AD), authentication interoperability is a critical topic, especially where services like Microsoft Exchange are accessed across trust boundaries. This article addresses the limitations and current capabilities of UCS in such configurations, particularly concerning Kerberos authentication, external trusts, and group synchronization in multi-domain or multi-forest scenarios.

This article references the official UCS 5.2 documentation and aims to provide clarity for administrators integrating UCS with Microsoft AD under real world constraints.


Scenario Overview

The environment in question consists of:

  • A UCS managed domain: Univent.LOCAL, with two UCS domain controllers (mdc and dc3)
  • A separate Microsoft AD domain: KA.Univent.DE, hosting Microsoft Exchange
  • An existing incoming, unidirectional external trust from KA.Univent.DE to Univent.LOCAL

The trust is visible as:

$ sudo samba-tool domain trust list
Type[External] Transitive[No] Direction[INCOMING] Name[ka.univent.de]

While users from Univent.LOCAL can access Exchange services, authentication defaults to NTLM. Attempts to use Kerberos authentication fail, which raises questions about the feasibility of Kerberos referrals or alternative trust types such as Forest Trusts.


1. External Trusts: NTLM vs. Kerberos

Current UCS Support: NTLM Only

According to the UCS 5.2 Manual, Chapter 9.4: Trust Relationships, UCS currently supports only incoming, unidirectional external trusts. These are limited to NTLM authentication:

“UCS only supports incoming, unidirectional external trusts; Kerberos referral is not implemented, NTLM is the only protocol.”

This behavior stems from UCS’s reliance on Samba 4 and Heimdal Kerberos. In contrast to Microsoft’s implementation, UCS does not currently provide a mechanism to configure UCS KDCs or Samba clients to perform cross realm Kerberos authentication via external trusts.

Kerberos Referrals in External Trusts

While Microsoft AD environments can support Kerberos across external trusts by configuring client and KDC realms explicitly (see external reference), this is not supported or documented in UCS.

There is no supported method in UCS to modify krb5.conf, Samba, or Heimdal configurations to achieve reliable Kerberos authentication in such cross realm scenarios.


2. Group Types and Cross Domain Membership Limitations

Beyond authentication, the configuration of security principals across domain boundaries has its own constraints. The UCS 5.2 Manual, Chapter 7.6 outlines the limitations regarding group types and synchronization in trusted environments:

Group Type UCS Support Details
Global Groups Only support domain-local users. Members from external trusted domains not allowed
Domain-Local Can include users from trusted domains, but are only visible in their home domain
Universal Groups Require a Global Catalog and forest wide visibility, which Samba/UCS does not support

“The current version of UCS does not support multiple domains/forests or outgoing trusts.”

This further reinforces the architectural limitation: cross domain group management and forest wide visibility are not feasible in UCS 5.2.


3. Forest Trusts: Are They a Viable Solution?

Theoretical Benefits of Forest Trusts

In Microsoft AD environments, forest trusts allow transitive and Kerberos based authentication across realms, including full support for cross realm Kerberos ticket forwarding.

Your assumption is correct: switching from an external trust to a forest trust could, in theory, enable Kerberos authentication across domains.

Current UCS Support Status

However, as of UCS 5.2, forest trusts are not supported. The same documentation referenced earlier confirms:

“UCS supports neither outgoing trusts nor multiple forests.”

The older blog post you referenced (Univention Blog, 2020) outlines how to establish external trust relationships, but does not imply support for forest trust relationships — a feature that would require deep changes to Samba and Heimdal’s trust model.

There is no indication in current UCS or Samba roadmaps or release notes that forest trusts or cross realm Kerberos support will be added in the near term.


Conclusion and Recommendations

Given the current limitations:

  • NTLM is the only supported method for authentication across UCS external trusts
  • Cross realm Kerberos (Kerberos referrals) are not supported in UCS or Samba via external trusts
  • Forest trusts, while technically solving this issue in Microsoft AD, are not available in UCS as of version 5.2
  • Heimdal in UCS cannot be configured to manually support Kerberos for other realms without unsupported customization

Recommendations

Scenario Recommendation
Need for Exchange access Continue using NTLM based authentication
Need for Kerberos authentication Consider migrating to a unified domain or Microsoft AD only setup if Kerberos is required
Multi forest group management Avoid complex cross domain group assignments

References