[SAMBA4] Kerberos Domain Join sucessful!

Andrew Bartlett abartlet at samba.org
Sat May 14 06:11:12 GMT 2005

It has actually been quite a surprise to see this finally work.  I have
demonstrated (800 packets later, trace and passwords available on
request) WinXP joining a Samba4 domain, using kerberos, as well as the
subsequent domain logon.

The changes required will slowly be integrated back into the various
subversion trees, but the blocker on so called 'DCE STYLE' GSSAPI has
been solved.  This has been a lot of work by metze, and it is only on
that base that I was able to finish it off.  (I had to disable an extra
mutual authentication check in Heimdal).

When I get things cleared up a bit more, I'll describe to the list where
I want to go with kerberos, libraries and Heimdal.

I also used tridge's new cldap server, so we can finally see clapd (a
prototype tool from the IBM blue directory research project) off into
the sunset.

This trace also shows how much more work is to be done - the client
naturally wishes to update our DNS server with secure TSIG updates, as
well as check the time over SCHANNEL secured NTP.  But the base is here,
and while complex, none of this is particularly mystic.

Thank-you very much to everybody involved in this effort.

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050514/aa58ec48/attachment.bin

More information about the samba-technical mailing list