HOWTO: Kerberos domain Join
Andrew Bartlett
abartlet at samba.org
Thu May 19 01:52:52 GMT 2005
This is an attempt to document the process required to perform a domain
join of WinXP to Samba4, using Kerberos. It assumes you already have
followed tridge's tute on installing Samba4 as a DC, and have the config
setup for that much.
It would be nice if someone else was able to reproduce this, and work
with me on a more complete document.
The steps are to:
- obtain and install 'Lorikeet Heimdal', built against LDB and talloc
- obtain and provision current Samba4
- install the zone file into the DNS server
- configure Samba4
- Join the WinXP client.
For this, we need ldb and talloc outside Samba4.
The lib/ldb and lib/talloc directories in samba4 have their own
configure scripts, and can be installed normally. You may need to 'make
clean' in those directories first.
Lorikeet Heimdal
svn co svn://svnanon.samba.org/lorikeet/heimdal lorikeet-heimdal
cd lorikeet-heimdal
./autogen.sh
./configure --with-ldb=/usr/local --without-openldap --disable-shared
--prefix=/usr/local/lorikeet-heimdal
make
make install
Add the following to your /etc/krb5.conf, in the [kdc] section
(replacing the /usr/local/samba with wherever you keep samba).
[kdc]
database = {
dbname = ldb:tdb:///usr/local/samba/private/sam.ldb
}
check-ticket-addresses = FALSE;
configure Samba4:
./configure --with-krb5=/usr/local/lorikeet-heimdal
make clean pch all
Provision your database with setup/provision.pl, and copy the DNS zone
and ldb files as indicated.
In your smb.conf, set:
gensec:krb5=no
gensec:gssapi_krb5=yes
Start the DNS server (ensure your WinXP client will use it)
(as root) Run /usr/local/lorikeet-heimdal/sbin/kadmin -l
At the prompt run:
ext_keytab ldap/my.host.name
ext_keytab LDAP/my.host.name
ext_keytab cifs/my.host.name
ext_keytab host/my.host.name
Start Samba4
Start Heimdal's KDC:
(as root) /usr/local/lorikeet-heimdal/libexec/kdc
(it will not detach from the terminal by default).
You should now be able to join in the usual way.
These instructions are based on what I did, but I've not gone back and
re-tested it all. My hope is to walk though with someone on IRC and see
how much I missed out :-). Clearly this needs to be made easier for our
users...
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050519/1a79c760/attachment.bin
More information about the samba-technical
mailing list