Syncing passwords from MIT Kerberos to Samba 4

Since Samba 4's authentication is based on Kerberos, many of us with an MIT Kerberos infrastructure would like to be able to use Samba to allow Windows users to authenticate with their Kerberos passwords. It's not as easy as it sounds - not only does Samba use Heimdal, but the Heimdal KDC is thoroughly embedded in the Samba environment and cannot (as of December 2011) be manipulated with the regular Heimdal tools. But it can be done! Here's how.

Note that this assumes that the user already exists in Samba, and that the CN of the user is the same as the username. (If you create the user with samba-tool and specify a surname, you should use the --use-username-as-cn option.)

Step 1 - export the user from MIT:

On the MIT KDC, use kdb5_util to dump the user's key data. Use the -b7 dump format option. E.g.:


Step 2 - transfer the dump file to the Samba domain controller.

Step 3 - remove unneeded keys

A Kerberos principal's key may be encoded in several different ways. The only one Samba needs is arcfour-hmac-md5 (type 23), and the conversion code may choke on other types. The Python script will remove all but the first type 23 key; use it thus:

python < >USERNAME.mitdump

Step 4 - decrypt and convert the dump to Heimdal format

The MIT tools do not provide a way to get an unencrypted key, so we have to convert to Heimdal format to decrypt it. This step and the next one can be done with one script - see below.

Step 5 - extract the key, convert it to base64, and put it in the Samba database

Step 4 and this step can be done with the script This script requires the Heimdal tools hprop and hpropd and copy of the key that was used to encrypt the dump. This key is the same as the MIT master key (unless you used the -mkey_convert option when you made the dump) and needs to be in keytab format (older MIT "stash" format will not work). Heimdal's ktutil can be used to create the key; make sure that the enctype is the same. Run this script (as root) thus:

python USERNAME.mitdump

That's it!