[SAMBA4] Kerberos Domain Join sucessful!

[Andrew Bartlett]

On Sat, 2005-05-14 at 16:11 +1000, Andrew Bartlett wrote:
> It has actually been quite a surprise to see this finally work.  I have
> demonstrated (800 packets later, trace and passwords available on
> request) WinXP joining a Samba4 domain, using kerberos, as well as the
> subsequent domain logon.
> 
> The changes required will slowly be integrated back into the various
> subversion trees, but the blocker on so called 'DCE STYLE' GSSAPI has
> been solved.  This has been a lot of work by metze, and it is only on
> that base that I was able to finish it off.  (I had to disable an extra
> mutual authentication check in Heimdal).

The need to disable the mutual auth is the only part of this that has
not now been committed.

The setup uses Heimdal from lorikeet, with manually setup keytab entries
in /etc/krb5.keytab.  I'll soon (tomorrow) change this to use an in-
memory keytab.

With the changes I made tonight, I have made much more progress - we now
get a full login, apparently using Kerberos for 'most' of the process.  

We see the client fall back to NTLMSSP for some of the later stages of
the login, which may be related to us not accepting Kerberos for the
DNS/ name.  I need to allow all the different aliases for HOST/ in the
servicePrincipalName search.

I expect as we keep filling out more of the puzzle, that the fallback
point will keep being pushed back.  These are exiting times indeed!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050515/a15c05ea/attachment.bin