Working with kerberos principals and keytabs

Knowledge Base Supported
, ,
#1

In Samba 4 environments the Kerberos services are provided by Samba, principals and keys get are synchronizes between Samba 4 (AD) and OpenLDAP by the S4-Connector.

For System with the “Samba account” and “Kerberos principal” option is set a kerberos principal and key is created and stored in AD and OpenLDAP.

To query all principals registered in AD, “univention-s4search” may be used:

univention-s4search '(|(userPrincipalName=*)(servicePrincipalName=*))' \
  userPrincipalName servicePrincipalName

The Kerberos keytab for systems can be exported from AD via “samba-tool”:

root@master:~# samba-tool domain exportkeytab /tmp/W7PRO-JM_ad.keytab \
  --principal "host/W7PRO-JM.s4lish.qa@S4LISH.QA"
root@master:~# ktutil -k /tmp/W7PRO-JM_ad.keytab list
/tmp/W7PRO-JM_ad.keytab:

Vno  Type                       Principal
 3   des-cbc-crc                host/W7PRO-JM.s4lish.qa@S4LISH.QA
 3   des-cbc-md5                host/W7PRO-JM.s4lish.qa@S4LISH.QA
 3   arcfour-hmac-md5           host/W7PRO-JM.s4lish.qa@S4LISH.QA

Alternatively the keytab may be exported from OpenLDAP via “kadmin -l”:

root@master:~# kadmin -l ext --keytab=/tmp/W7PRO-JM_ldap.keytab \
  "host/W7PRO-JM.s4lish.qa@S4LISH.QA"

root@master:~# ktutil --keytab=/tmp/W7PRO-JM_ldap.keytab list
/tmp/W7PRO-JM_ldap.keytab:
Vno  Type                       Principal
 3   arcfour-hmac-md5           host/W7PRO-JM.s4lish.qa@S4LISH.QA
 3   des-cbc-md5                host/W7PRO-JM.s4lish.qa@S4LISH.QA
 3   des-cbc-crc                host/W7PRO-JM.s4lish.qa@S4LISH.QA

To add a new SPN account, you may use a script called “create_spn_account.sh” which creates a new user in AD, disables the password expiry option and exports a keytab to the given file:

root@master:~# /usr/share/univention-samba4/scripts/create_spn_account.sh \
  --samaccountname 'foobar' \
  --serviceprincipalname 'FOO/foobar' \
  --privatekeytab 'foobar.keytab'
User 'foobar' created successfully
Expiry for user 'foobar' disabled.
Modified 1 records successfully
Added 1 records successfully

root@master:~# ktutil --keytab=/var/lib/samba/private/foobar.keytab list
/var/lib/samba/private/foobar.keytab:

Vno  Type                                 Principal                  
 1   des-cbc-crc                          FOO/foobar@S4LISH.QA
 1   des-cbc-crc                          foobar@S4LISH.QA
 1    des-cbc-md5                         FOO/foobar@S4LISH.QA
 1   des-cbc-md5                          foobar@S4LISH.QA
 1   arcfour-hmac-md5                     FOO/foobar@S4LISH.QA
 1   arcfour-hmac-md5                     foobar@S4LISH.QA
 1   aes128-cts-hmac-sha1-96              FOO/foobar@S4LISH.QA
 1   aes128-cts-hmac-sha1-96              foobar@S4LISH.QA
 1   aes256-cts-hmac-sha1-96              FOO/foobar@S4LISH.QA
 1   aes256-cts-hmac-sha1-96              foobar@S4LISH.QA

In some cases it might be needed to change the User Principal Name (UPN) of the new AD user to match the Service Principal Name. Some documentation on how to connect external services/systems to Active Directory involve the Microsoft tool “ktpass” for this (like “KTPASS -MAPUSER foobar -PRINC FOO/foobar@s4lish.qa …”). To change the UPN with UCS 4 you may use “samba-tool user upn set” like:

samba-tool user upn set foobar FOO/foobar@s4lish.qa

For systems older than UCS 4 you have to do a manual ldbedit:

ldbedit -H /var/lib/samba/private/sam.ldb -b "CN=foobar,CN=Users,DC=s4lish,DC=qa" \
  userPrincipalName

If a user gets removed with the help of samba-tool the principle does not get removed as well. This could disturb the re-creation (see create_spn_account.sh) - this is how you can remove an existing principle:

ldbdel -H /var/lib/samba/private/secrets.ldb 'samAccountName="foobar",CN=Principles'
1 Like
Krb5 gssapi error after ad takevoer
Mastodon