Samba AD with MIT Kerberos and trust to FreeIPA update

Alexander Bokovoy ab at
Thu Dec 3 18:44:05 UTC 2015


I've posted few screenshots of the current status of Samba AD with MIT
Kerberos running on Fedora 23 and establishing cross-forest trust to
FreeIPA on my Google+ page:

The patches to Samba are in Andreas' git tree, plus few changes Simo did
for proper generation of the salt for interdomain trust object keys.
Currently Samba generates the salt principal wrongly for TDO keys and it
works in Heimdal only because Heimdal users RC4 keys for cross-realm
trust which does not use the salt.

Once Simo fixed the salt in password_hash ldb module, we were able to
complete trust to FreeIPA in such way that MIT KDC was able to respond
on AS request for the interdomain TDO principal and SSSD on FreeIPA side
was able to use the resulting Kerberos session to authenticate with SASL
GSSAPI to Samba AD's LDAP to look up users and groups. The POSIX
attributes are managed by FreeIPA (UID/GIDs are autogenerated in this
deployment) but they can also be picked up from Samba AD.

We plan to work on remaining fixes to eventually get the full Samba AD
support in Fedora 24, but this represents a huge milestone in our four
year quest to make it a reality.

Thanks to everyone!

/ Alexander Bokovoy

More information about the samba-technical mailing list