Building samba4 against system Heimdal
lukeh at padl.com
Thu May 12 11:31:48 MDT 2011
Nice to meet you the last few days.
> Not sure that we really tried to join as a domain member any windows/samba domain.
Andrew Bartlett reckons that it should work; I'm actually happy to test a Samba4 DC instead, as long as S4U2Self works (does anyone know if this is implemented in the Samba4 KDC?)
> Did you try the ./samba-tool join DC de.padl.com
That has the same SRV lookup problem anyway. I guess I'll have to dig a little as to why the DNS lookup is failing...
Anyway, I have some (untested) patches to Samba4 to further generalise gensec so it supports multiple GSS mechanisms. (We really need gss_set_neg_mechs() in Heimdal for this to work properly inside SPNEGO.) I'm hoping to get it to work with Moonshot (project-moonshot.org), which is a GSS EAP based mechanism. (The PAC is sent as a RADIUS attribute, retrieved either by S4U2Self or possibly NTLM itself, in the case of MS-CHAP. The same GSS APIs as for Kerberos are used to retrieve the authorisation data.)
More information about the samba-technical