On 3 December 2015 at 19:14, Alexander Bokovoy <aboko...@redhat.com> wrote:
> Hi, > > (repost to Fedora development) > > I've posted few screenshots of the current status of Samba AD with MIT > Kerberos running on Fedora 23 and establishing cross-forest trust to > FreeIPA on my Google+ page: > https://plus.google.com/+AlexanderBokovoy/posts/NgozL7Rgw64 > > The patches to Samba are in Andreas' git tree, plus few changes Simo did > for proper generation of the salt for interdomain trust object keys. > Currently Samba generates the salt principal wrongly for TDO keys and it > works in Heimdal only because Heimdal users RC4 keys for cross-realm > trust which does not use the salt. > > Once Simo fixed the salt in password_hash ldb module, we were able to > complete trust to FreeIPA in such way that MIT KDC was able to respond > on AS request for the interdomain TDO principal and SSSD on FreeIPA side > was able to use the resulting Kerberos session to authenticate with SASL > GSSAPI to Samba AD's LDAP to look up users and groups. The POSIX > attributes are managed by FreeIPA (UID/GIDs are autogenerated in this > deployment) but they can also be picked up from Samba AD. > > We plan to work on remaining fixes to eventually get the full Samba AD > support in Fedora 24, but this represents a huge milestone in our four > year quest to make it a reality. > > Thanks to everyone! > > This is great news! Especially since sernet put the most recent releases behind paid support. Look forward to carrying out tests of this in due course.
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
