In Samba 4 environments the Kerberos services are provided by Samba, principals and keys get are synchronizes between Samba 4 (AD) and OpenLDAP by the S4-Connector.
For System with the “Samba account” and “Kerberos principal” option is set a kerberos principal and key is created and stored in AD and OpenLDAP.
To query all principals registered in AD, “univention-s4search” may be used:
univention-s4search '(|(userPrincipalName=*)(servicePrincipalName=*))' \
userPrincipalName servicePrincipalName
The Kerberos keytab for systems can be exported from AD via “samba-tool”:
root@master:~# samba-tool domain exportkeytab /tmp/W7PRO-JM_ad.keytab \
--principal "host/W7PRO-JM.s4lish.qa@S4LISH.QA"
root@master:~# ktutil -k /tmp/W7PRO-JM_ad.keytab list
/tmp/W7PRO-JM_ad.keytab:
Vno Type Principal
3 des-cbc-crc host/W7PRO-JM.s4lish.qa@S4LISH.QA
3 des-cbc-md5 host/W7PRO-JM.s4lish.qa@S4LISH.QA
3 arcfour-hmac-md5 host/W7PRO-JM.s4lish.qa@S4LISH.QA
Alternatively the keytab may be exported from OpenLDAP via “kadmin -l”:
root@master:~# kadmin -l ext --keytab=/tmp/W7PRO-JM_ldap.keytab \
"host/W7PRO-JM.s4lish.qa@S4LISH.QA"
root@master:~# ktutil --keytab=/tmp/W7PRO-JM_ldap.keytab list
/tmp/W7PRO-JM_ldap.keytab:
Vno Type Principal
3 arcfour-hmac-md5 host/W7PRO-JM.s4lish.qa@S4LISH.QA
3 des-cbc-md5 host/W7PRO-JM.s4lish.qa@S4LISH.QA
3 des-cbc-crc host/W7PRO-JM.s4lish.qa@S4LISH.QA
To add a new SPN account, you may use a script called “create_spn_account.sh” which creates a new user in AD, disables the password expiry option and exports a keytab to the given file:
root@master:~# /usr/share/univention-samba4/scripts/create_spn_account.sh \
--samaccountname 'foobar' \
--serviceprincipalname 'FOO/foobar' \
--privatekeytab 'foobar.keytab'
User 'foobar' created successfully
Expiry for user 'foobar' disabled.
Modified 1 records successfully
Added 1 records successfully
root@master:~# ktutil --keytab=/var/lib/samba/private/foobar.keytab list
/var/lib/samba/private/foobar.keytab:
Vno Type Principal
1 des-cbc-crc FOO/foobar@S4LISH.QA
1 des-cbc-crc foobar@S4LISH.QA
1 des-cbc-md5 FOO/foobar@S4LISH.QA
1 des-cbc-md5 foobar@S4LISH.QA
1 arcfour-hmac-md5 FOO/foobar@S4LISH.QA
1 arcfour-hmac-md5 foobar@S4LISH.QA
1 aes128-cts-hmac-sha1-96 FOO/foobar@S4LISH.QA
1 aes128-cts-hmac-sha1-96 foobar@S4LISH.QA
1 aes256-cts-hmac-sha1-96 FOO/foobar@S4LISH.QA
1 aes256-cts-hmac-sha1-96 foobar@S4LISH.QA
In some cases it might be needed to change the User Principal Name (UPN) of the new AD user to match the Service Principal Name. Some documentation on how to connect external services/systems to Active Directory involve the Microsoft tool “ktpass” for this (like “KTPASS -MAPUSER foobar -PRINC FOO/foobar@s4lish.qa …”). To change the UPN with UCS 4 you may use “samba-tool user upn set” like:
samba-tool user upn set foobar FOO/foobar@s4lish.qa
For systems older than UCS 4 you have to do a manual ldbedit:
ldbedit -H /var/lib/samba/private/sam.ldb -b "CN=foobar,CN=Users,DC=s4lish,DC=qa" \
userPrincipalName
If a user gets removed with the help of samba-tool the principle does not get removed as well. This could disturb the re-creation (see create_spn_account.sh) - this is how you can remove an existing principle:
ldbdel -H /var/lib/samba/private/secrets.ldb 'samAccountName="foobar",CN=Principles'