samba - Jan 2013 - Migrating kerberos KDC data into Samba4 internal KDC

Is there a mechanism migrate/import user principal information from an 
MIT KDC into a Samba4 internal KDC?

We currently run our Active Directory users with Account Mappings that 
utilize a cross-realm trust between our MIT KDC (where user principals 
are maintained) and the Active Directory domain, as documented at 
*http://tinyurl.com/bx9znca*  This works fine for our Windows clients, 
but it does cause some headaches for software and some clients that 
expect to find username/password information in Active Directory.

Using the MIT KDC as the KDC for the Samba4 ADS controller would be 
fine, or some mechanism to sync user principal information between the 
KDCs should do what I'm looking for.  Unfortunately, I'm not certain 
this functionality is feasible or even possible.

John

Hi

On 5 January 2013 00:50, John Perkins <john at cs.wisc.edu>
wrote:
> Is there a mechanism migrate/import user principal information from an MIT
> KDC into a Samba4 internal KDC?
>
> We currently run our Active Directory users with Account Mappings that
> utilize a cross-realm trust between our MIT KDC (where user principals are
> maintained) and the Active Directory domain, as documented at
> *http://tinyurl.com/bx9znca*  This works fine for our Windows clients, but
> it does cause some headaches for software and some clients that expect to
> find username/password information in Active Directory.
>
> Using the MIT KDC as the KDC for the Samba4 ADS controller would be fine,
or
> some mechanism to sync user principal information between the KDCs should
do
> what I'm looking for.  Unfortunately, I'm not certain this
functionality is
> feasible or even possible.
>
> John
The following threads in the samba-technical archives might help:

http://lists.samba.org/archive/samba-technical/2010-April/thread.html#70554
http://lists.samba.org/archive/samba-technical/2010-August/thread.html#72944
http://lists.samba.org/archive/samba-technical/2011-November/thread.html#80418

-- 
Michael Wood <esiotrot at gmail.com>

On Fri, 2013-01-04 at 16:50 -0600, John Perkins wrote:
> Is there a mechanism migrate/import user principal information from an 
> MIT KDC into a Samba4 internal KDC?
> 
> We currently run our Active Directory users with Account Mappings that 
> utilize a cross-realm trust between our MIT KDC (where user principals 
> are maintained) and the Active Directory domain, as documented at 
> *http://tinyurl.com/bx9znca*  This works fine for our Windows clients, 
> but it does cause some headaches for software and some clients that 
> expect to find username/password information in Active Directory.
> 
> Using the MIT KDC as the KDC for the Samba4 ADS controller would be 
> fine, or some mechanism to sync user principal information between the 
> KDCs should do what I'm looking for.  Unfortunately, I'm not
certain
> this functionality is feasible or even possible.
Currently we don't have the import code finished here, but there are
ways to make this work.  Particularly for a case with mapping to an
existing AD DC, it is going to be a bit custom.

If you don't mind restricting yourself to the arcfour-hmac-md5
encryption type, then extracting that key, then importing it into the
unicodePwd attribute (with the right magic controls) won't be too
difficult.

There is a magic control you can specify to the python ldb bindings to
set a particular password or you can do it via passdb using the python
interface.  See source4/scripting/python/samba/upgrade.py for some
inspiration, particularly the last part where the admin pw is forced. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org