Since Samba 4's authentication is based on Kerberos, many of us with an MIT Kerberos infrastructure would like to be able to use Samba to allow Windows users to authenticate with their Kerberos passwords. It's not as easy as it sounds - not only does Samba use Heimdal, but the Heimdal KDC is thoroughly embedded in the Samba environment and cannot (as of December 2011) be manipulated with the regular Heimdal tools. But it can be done! Here's how.
Note that this assumes that the user already exists in Samba, and that the CN of the user is the same as the username. (If you create the user with samba-tool and specify a surname, you should use the --use-username-as-cn option.)
Step 1 - export the user from MIT:
On the MIT KDC, use kdb5_util to dump the user's key data. Use the -b7 dump format option. E.g.:
kdb5_util dump -b7 USERNAME.mit USERNAME@REALM.WHATSAMATTAU.EDU
Step 2 - transfer the dump file to the Samba domain controller.
Step 3 - remove unneeded keys
A Kerberos principal's key may be encoded in several different ways. The only one Samba needs is arcfour-hmac-md5 (type 23), and the conversion code may choke on other types. The Python script filterdump.py will remove all but the first type 23 key; use it thus:
python filterdump.py <USERNAME.mit >USERNAME.mitdump
Step 4 - decrypt and convert the dump to Heimdal format
The MIT tools do not provide a way to get an unencrypted key, so we have to convert to Heimdal format to decrypt it. This step and the next one can be done with one script - see below.
Step 5 - extract the key, convert it to base64, and put it in the Samba database
Step 4 and this step can be done with the script syncdump.py. This script requires the Heimdal tools hprop and hpropd and copy of the key that was used to encrypt the dump. This key is the same as the MIT master key (unless you used the -mkey_convert option when you made the dump) and needs to be in keytab format (older MIT "stash" format will not work). Heimdal's ktutil can be used to create the key; make sure that the enctype is the same. Run this script (as root) thus:
python syncdump.py USERNAME.mitdump
That's it!