Working with kerberos principals and keytabs

ucs-3
kerberos
ucs-4

#1

In Samba 4 environments the Kerberos services are provided by Samba, principals and keys get are synchronizes between Samba 4 (AD) and OpenLDAP by the S4-Connector.

For System with the “Samba account” and “Kerberos principal” option is set a kerberos principal and key is created and stored in AD and OpenLDAP.

To query all principals registered in AD, “univention-s4search” may be used:

univention-s4search '(|(userPrincipalName=*)(servicePrincipalName=*))' userPrincipalName servicePrincipalName

The Kerberos keytab for systems can be exported from AD via “samba-tool”:

root@master:~# samba-tool domain exportkeytab /tmp/W7PRO-JM_ad.keytab --principal "host/W7PRO-JM.s4lish.qa@S4LISH.QA"
root@master:~# ktutil -k /tmp/W7PRO-JM_ad.keytab list
/tmp/W7PRO-JM_ad.keytab:

Vno  Type                       Principal                                                Aliases
 3   des-cbc-crc             host/W7PRO-JM.s4lish.qa@S4LISH.QA
 3   des-cbc-md5           host/W7PRO-JM.s4lish.qa@S4LISH.QA
 3   arcfour-hmac-md5    host/W7PRO-JM.s4lish.qa@S4LISH.QA

Alternatively the keytab may be exported from OpenLDAP via “kadmin -l”:

root@master:~# kadmin -l ext --keytab=/tmp/W7PRO-JM_ldap.keytab "host/W7PRO-JM.s4lish.qa@S4LISH.QA"
root@master:~# ktutil --keytab=/tmp/W7PRO-JM_ldap.keytab list
/tmp/W7PRO-JM_ldap.keytab:

Vno  Type                       Principal                                                Aliases
 3   arcfour-hmac-md5    host/W7PRO-JM.s4lish.qa@S4LISH.QA
 3   des-cbc-md5            host/W7PRO-JM.s4lish.qa@S4LISH.QA
 3   des-cbc-crc             host/W7PRO-JM.s4lish.qa@S4LISH.QA

To add a new SPN account, you may use a script called “create_spn_account.sh” which creates a new user in AD, disables the password expiry option and exports a keytab to the given file:

root@master:~# /usr/share/univention-samba4/scripts/create_spn_account.sh --samaccountname 'foobar' --serviceprincipalname 'FOO/foobar' --privatekeytab 'foobar.keytab'
User 'foobar' created successfully
Expiry for user 'foobar' disabled.
Modified 1 records successfully
Added 1 records successfully
root@master:~# ktutil --keytab=/var/lib/samba/private/foobar.keytab list
/var/lib/samba/private/foobar.keytab:

Vno  Type                                 Principal                                                Aliases
 1   des-cbc-crc                       FOO/foobar@S4LISH.QA
 1   des-cbc-crc                       foobar@S4LISH.QA
 1    des-cbc-md5                    FOO/foobar@S4LISH.QA
 1   des-cbc-md5                      foobar@S4LISH.QA
 1   arcfour-hmac-md5              FOO/foobar@S4LISH.QA
 1   arcfour-hmac-md5               foobar@S4LISH.QA
 1   aes128-cts-hmac-sha1-96   FOO/foobar@S4LISH.QA
 1   aes128-cts-hmac-sha1-96   foobar@S4LISH.QA
 1   aes256-cts-hmac-sha1-96   FOO/foobar@S4LISH.QA
 1   aes256-cts-hmac-sha1-96   foobar@S4LISH.QA

In some cases it might be needed to change the User Principal Name (UPN) of the new AD user to match the Service Principal Name. Some documentation on how to connect external services/systems to Active Directory involve the Microsoft tool “ktpass” for this (like “KTPASS -MAPUSER foobar -PRINC FOO/foobar@s4lish.qa …”). To change the UPN with UCS 4 you may use “samba-tool user upn set” like:

samba-tool user upn set foobar FOO/foobar@s4lish.qa

For systems older than UCS 4 you have to do a manual ldbedit:

ldbedit -H /var/lib/samba/private/sam.ldb -b "CN=foobar,CN=Users,DC=s4lish,DC=qa" userPrincipalName

If a user gets removed with the help of samba-tool the principle does not get removed as well. This could disturb the re-creation (see create_spn_account.sh) - this is how you can remove an existing principle:

ldbdel -H /var/lib/samba/private/secrets.ldb 'samAccountName="the samAccountName you want to delete",CN=Principles'