Building samba4 against system Heimdal

Luke Howard lukeh at
Thu May 12 11:31:48 MDT 2011

Hi Matthieu,

Nice to meet you the last few days.

> Not sure that we really tried to join as a domain member any windows/samba domain.

Andrew Bartlett reckons that it should work; I'm actually happy to test a Samba4 DC instead, as long as S4U2Self works (does anyone know if this is implemented in the Samba4 KDC?)

> Did you try the ./samba-tool join DC

That has the same SRV lookup problem anyway. I guess I'll have to dig a little as to why the DNS lookup is failing...

Anyway, I have some (untested) patches to Samba4 to further generalise gensec so it supports multiple GSS mechanisms. (We really need gss_set_neg_mechs() in Heimdal for this to work properly inside SPNEGO.) I'm hoping to get it to work with Moonshot (, which is a GSS EAP based mechanism. (The PAC is sent as a RADIUS attribute, retrieved either by S4U2Self or possibly NTLM itself, in the case of MS-CHAP. The same GSS APIs as for Kerberos are used to retrieve the authorisation data.)


-- Luke

More information about the samba-technical mailing list