On 3 Dec 2015 19:14, "Alexander Bokovoy" <aboko...@redhat.com> wrote: > > Hi, > > (repost to Fedora development) > > I've posted few screenshots of the current status of Samba AD with MIT > Kerberos running on Fedora 23 and establishing cross-forest trust to > FreeIPA on my Google+ page: > https://plus.google.com/+AlexanderBokovoy/posts/NgozL7Rgw64 >
Having worked with freeipa in the past, and having some idea of what's involved here, I have to say: congratulations, this is a super-human effort :) > The patches to Samba are in Andreas' git tree, plus few changes Simo did > for proper generation of the salt for interdomain trust object keys. > Currently Samba generates the salt principal wrongly for TDO keys and it > works in Heimdal only because Heimdal users RC4 keys for cross-realm > trust which does not use the salt. > > Once Simo fixed the salt in password_hash ldb module, we were able to > complete trust to FreeIPA in such way that MIT KDC was able to respond > on AS request for the interdomain TDO principal and SSSD on FreeIPA side > was able to use the resulting Kerberos session to authenticate with SASL > GSSAPI to Samba AD's LDAP to look up users and groups. The POSIX > attributes are managed by FreeIPA (UID/GIDs are autogenerated in this > deployment) but they can also be picked up from Samba AD. > > We plan to work on remaining fixes to eventually get the full Samba AD > support in Fedora 24, but this represents a huge milestone in our four > year quest to make it a reality. > > Thanks to everyone! > > -- > / Alexander Bokovoy > -- > devel mailing list > devel@lists.fedoraproject.org > http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
