HOWTO: Kerberos domain Join

Louis St-Amour louisstamour at
Wed Jun 22 20:24:50 GMT 2005

Some comments on the howto - and I also had a problem with the new
in-memory keytab code ...

On Thu, 2005-05-19 at 11:52 +1000, Andrew Bartlett wrote:
> This is an attempt to document the process required to perform a domain
> join of WinXP to Samba4, using Kerberos.  It assumes you already have
> followed tridge's tute on installing Samba4 as a DC, and have the config
> setup for that much.

If you get stuck or need help, also see howto.txt in the SAMBA 4 branch:

> On Wed, 2005-06-22 at 12:23 +1000, Andrew Bartlett wrote:
> > - obtain and install 'Lorikeet Heimdal', and link it into samba

> > cd samba4/source
> svn co svn:// heimdal
> > ./configure 
> > make clean HEIMDAL_EXTERNAL pch all

I couldn't build it with this, it complained about a missing header
file. To fix that, I changed it to:
make clean pch HEIMDAL_EXTERNAL all

If you don't have GCC 4.3 or higher, replace pch with proto:
make clean proto HEIMDAL_EXTERNAL all

Then follow the rest of the howto:

> >  - obtain and provision current Samba4
> >  - install the zone file into the DNS server

See "Verify DNS registration for domain controllers using the nslookup
command" at <>

> >  - configure Samba4
> >  - Join the WinXP client.

But I had a problem while following the howto:

Line 204 of gensec_gssapi.c failed to compile, complained that it
couldn't find gsskrb5_register_acceptor_keytab. After a quick grep of
the source, and a search on Google, I realised it was a typo and
changed it to gsskrb5_register_acceptor_identity, and it compiled ...

But it complained about passing an incompatible pointer type to the
gsskrb5_register_acceptor_identity function.

I just did a Google search and found this, which I'm hoping applies to
this problem, and that abartlet's already made the change to the
function, so it's a quick fix somehow:

> 05/19/05 16:45:10 <lha> well, yes, that is one option, but there isn't any alias in the current format
> 05/19/05 16:45:50 <lha> one way you can do it is to implement your own krb5_kt_ops 
> 05/19/05 16:46:05 <abartlet> yep, that's what I was intending to do
> 05/19/05 16:46:20 <abartlet> and have an in-memory type that we pass into the GSSAPI layer
> 05/19/05 16:46:29 <abartlet> (which stared me down a GSSAPI refactor...)
> 05/19/05 16:46:59 <lha> just change gsskrb5_register_acceptor_identity to take a keytab type
> 05/19/05 16:47:00 <abartlet> lha: the other reason to do it generally is that Samba3 has this problem now
> 05/19/05 16:47:12 <abartlet> where we try and export a keytab for other gssapi/kerberos applications
> 05/19/05 16:47:39 <lha> I agree that the kerberos code should support it

After the fix, I ran make test, and realised just how pre-alpha the
code is. (Some of the tests failed, but I couldn't see any way that
the change I made could make it fail - I doubt there are even tests
for this Heimdal stuff yet.)

So the big test was in adding a computer to the domain and ...

Well it found the server, and asked me for a username and password.
(So DNS and CLDAP worked, I assume)

I entered the username and password, and it an error message appeared,
saying it couldn't join the domain because: "A device attached to the
system is not functioning."

So either my fix didn't work, or there's something else I'm missing, I
guess. Any tips for troubleshooting this? Should I try to trace
packets somehow or send debug log files? (If there is logging for this
code?) I was using a Windows XP SP2 client, if it makes a difference.

Louis (aka. CSpotkill)

More information about the samba-technical mailing list