HOWTO: Kerberos domain Join

Andrew Bartlett abartlet at samba.org
Thu May 19 01:52:52 GMT 2005 

This is an attempt to document the process required to perform a domain
join of WinXP to Samba4, using Kerberos.  It assumes you already have
followed tridge's tute on installing Samba4 as a DC, and have the config
setup for that much.

It would be nice if someone else was able to reproduce this, and work
with me on a more complete document.

The steps are to:
 - obtain and install 'Lorikeet Heimdal', built against LDB and talloc
 - obtain and provision current Samba4
 - install the zone file into the DNS server
 - configure Samba4
 - Join the WinXP client.

For this, we need ldb and talloc outside Samba4.
The lib/ldb and lib/talloc directories in samba4 have their own
configure scripts, and can be installed normally.  You may need to 'make
clean' in those directories first.

Lorikeet Heimdal

svn co svn://svnanon.samba.org/lorikeet/heimdal lorikeet-heimdal
cd lorikeet-heimdal
./autogen.sh
./configure --with-ldb=/usr/local --without-openldap --disable-shared
--prefix=/usr/local/lorikeet-heimdal
make
make install

Add the following to your /etc/krb5.conf, in the [kdc] section
(replacing the /usr/local/samba with wherever you keep samba).

[kdc]
   database = {
        dbname = ldb:tdb:///usr/local/samba/private/sam.ldb
   }
   check-ticket-addresses = FALSE;

configure Samba4:
./configure --with-krb5=/usr/local/lorikeet-heimdal
make clean pch all

Provision your database with setup/provision.pl, and copy the DNS zone
and ldb files as indicated.

In your smb.conf, set: 

gensec:krb5=no
gensec:gssapi_krb5=yes

Start the DNS server (ensure your WinXP client will use it)

(as root) Run /usr/local/lorikeet-heimdal/sbin/kadmin -l

At the prompt run:

ext_keytab ldap/my.host.name
ext_keytab LDAP/my.host.name
ext_keytab cifs/my.host.name
ext_keytab host/my.host.name

Start Samba4

Start Heimdal's KDC:
(as root) /usr/local/lorikeet-heimdal/libexec/kdc
(it will not detach from the terminal by default).

You should now be able to join in the usual way.

These instructions are based on what I did, but I've not gone back and
re-tested it all.  My hope is to walk though with someone on IRC and see
how much I missed out :-).  Clearly this needs to be made easier for our
users...

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050519/1a79c760/attachment.bin

More information about the samba-technical mailing list