HOWTO: Kerberos domain Join

Andrew Bartlett abartlet at samba.org
Wed Jun 22 02:23:57 GMT 2005 

On Thu, 2005-05-19 at 11:52 +1000, Andrew Bartlett wrote:
> This is an attempt to document the process required to perform a domain
> join of WinXP to Samba4, using Kerberos.  It assumes you already have
> followed tridge's tute on installing Samba4 as a DC, and have the config
> setup for that much.
> 
> It would be nice if someone else was able to reproduce this, and work
> with me on a more complete document.

A few updates are in order, for progress over the past few months:

> The steps are to:
- obtain and install 'Lorikeet Heimdal', and link it into samba
>  - obtain and provision current Samba4
>  - install the zone file into the DNS server
>  - configure Samba4
>  - Join the WinXP client.
> 

> Lorikeet Heimdal
(move into your samba4 source directory)

cd samba4/source

svn co svn://svnanon.samba.org/lorikeet/heimdal heimdal

> configure Samba4:
./configure 
make clean HEIMDAL_EXTERNAL pch all
> 
> Provision your database with setup/provision.pl, and copy the DNS zone
> and ldb files as indicated.
> 
> In your smb.conf, set: 
> 
> gensec:krb5=no
> gensec:gssapi_krb5=yes
> 
> Start the DNS server (ensure your WinXP client will use it)

> Start Samba4

> You should now be able to join in the usual way.
> 
> These instructions are based on what I did, but I've not gone back and
> re-tested it all.  My hope is to walk though with someone on IRC and see
> how much I missed out :-).  Clearly this needs to be made easier for our
> users...

The big change recently is that we build heimdal into samba4, so samba4
handles the startup of the kdc, and we use an in-memory keytab to avoid
dealing with external files (which may get out of sync etc)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050622/05e89b3e/attachment.bin

More information about the samba-technical mailing list