Apache Directory Server - Interoperability - Creating Service Principals with Active Directory

Interoperability

Home

Work in progress

This site is in the process of being reviewed and updated.

Enabling Single Sign On with Active Directory for Linux hosts

1) Join server to Active Directory using Samba tooling (net ads join).

2) a) Obtain machine's password using tbdtool.

The password is the string on the far right. It's broken into two strings ... the actual password is _bT74OTsVqspbF

2) b) Create a user in AD for each service kerberized service on the Linux host, for instance.

nfs-server1
host-server2

... for nfs, sshd, etc., depending on which services you'd like to kerberize, one user for each service.

3) On the Windows host, use either (a) obtained password or (b) new password with windows ktpass command to create service principal and export MIT-style keytabs.

ktpass needs to be run once for each kerberized service:

ktpass -princ host/fqdn@DOMAIN.COM -mapuser computer$ -pass XXXXXXXXXXXXXX-out host

Be aware that this generates 56 bit DES keys for these services. Some sites might have standardized on better encryption types.

4) Fix userPrincipalName - it gets reset to the service principal you specify with each execution of ktpass. Use ADSI Edit to change the userPrincipalName to HOST/server@DOMAIN.COM.

ADSI Edit -> Domain NC -> right-click on machine acct -> properties -> userPrincipalName

5) Securely transport the keytabs to the host. This means use ssh, or an external disk. Be sure that any copies of the keytabs left on the Windows server are deleted.

6) Use ktutil to combine the keytabs. Be sure to delete the originals, they are a security risk.

$ ktutil
ktutil: rkt sshd
ktutil: rkt host
ktutil: rkt nfs
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 cifs/xenhost1.example.com@EXAMPLE.COM
2 1 sshd/xenhost2.example.com@EXAMPLE.COM
3 1 host/xenhost3.example.com@EXAMPLE.COM
4 1 nfs/xenhost4.example.com@EXAMPLE.COM

ktutil: wkt krb5.keytab
ktutil: q
$

7) Move the resulting keytab to /etc/krb5.keytab, chmod 700.
8) Edit service-specific config files so that they know which service principal to use, if possible.

Hosts and properly kerberized applications should now be able to access kerberized services on your host without having to re-authenticate, providing they have a valid TGT.