HOWTO: Kerberos domain Join
louisstamour at gmail.com
Wed Jun 22 20:24:50 GMT 2005
Some comments on the howto - and I also had a problem with the new
in-memory keytab code ...
On Thu, 2005-05-19 at 11:52 +1000, Andrew Bartlett wrote:
> This is an attempt to document the process required to perform a domain
> join of WinXP to Samba4, using Kerberos. It assumes you already have
> followed tridge's tute on installing Samba4 as a DC, and have the config
> setup for that much.
If you get stuck or need help, also see howto.txt in the SAMBA 4 branch:
> On Wed, 2005-06-22 at 12:23 +1000, Andrew Bartlett wrote:
> > - obtain and install 'Lorikeet Heimdal', and link it into samba
> > cd samba4/source
> svn co svn://svnanon.samba.org/lorikeet/trunk/heimdal heimdal
> > ./configure
> > make clean HEIMDAL_EXTERNAL pch all
I couldn't build it with this, it complained about a missing header
file. To fix that, I changed it to:
make clean pch HEIMDAL_EXTERNAL all
If you don't have GCC 4.3 or higher, replace pch with proto:
make clean proto HEIMDAL_EXTERNAL all
Then follow the rest of the howto:
> > - obtain and provision current Samba4
> > - install the zone file into the DNS server
See "Verify DNS registration for domain controllers using the nslookup
command" at <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b6879c0b-cff7-438d-a7f3-0715456dcefb.mspx>
> > - configure Samba4
> > - Join the WinXP client.
But I had a problem while following the howto:
Line 204 of gensec_gssapi.c failed to compile, complained that it
couldn't find gsskrb5_register_acceptor_keytab. After a quick grep of
the source, and a search on Google, I realised it was a typo and
changed it to gsskrb5_register_acceptor_identity, and it compiled ...
But it complained about passing an incompatible pointer type to the
I just did a Google search and found this, which I'm hoping applies to
this problem, and that abartlet's already made the change to the
function, so it's a quick fix somehow:
> 05/19/05 16:45:10 <lha> well, yes, that is one option, but there isn't any alias in the current format
> 05/19/05 16:45:50 <lha> one way you can do it is to implement your own krb5_kt_ops
> 05/19/05 16:46:05 <abartlet> yep, that's what I was intending to do
> 05/19/05 16:46:20 <abartlet> and have an in-memory type that we pass into the GSSAPI layer
> 05/19/05 16:46:29 <abartlet> (which stared me down a GSSAPI refactor...)
> 05/19/05 16:46:59 <lha> just change gsskrb5_register_acceptor_identity to take a keytab type
> 05/19/05 16:47:00 <abartlet> lha: the other reason to do it generally is that Samba3 has this problem now
> 05/19/05 16:47:12 <abartlet> where we try and export a keytab for other gssapi/kerberos applications
> 05/19/05 16:47:39 <lha> I agree that the kerberos code should support it
After the fix, I ran make test, and realised just how pre-alpha the
code is. (Some of the tests failed, but I couldn't see any way that
the change I made could make it fail - I doubt there are even tests
for this Heimdal stuff yet.)
So the big test was in adding a computer to the domain and ...
Well it found the server, and asked me for a username and password.
(So DNS and CLDAP worked, I assume)
I entered the username and password, and it an error message appeared,
saying it couldn't join the domain because: "A device attached to the
system is not functioning."
So either my fix didn't work, or there's something else I'm missing, I
guess. Any tips for troubleshooting this? Should I try to trace
packets somehow or send debug log files? (If there is logging for this
code?) I was using a Windows XP SP2 client, if it makes a difference.
Louis (aka. CSpotkill)
More information about the samba-technical