Samba AD with MIT Kerberos and trust to FreeIPA update
Jeremy Allison
jra at samba.org
Thu Dec 3 20:22:29 UTC 2015
On Thu, Dec 03, 2015 at 08:44:05PM +0200, Alexander Bokovoy wrote:
> Hi,
>
> I've posted few screenshots of the current status of Samba AD with MIT
> Kerberos running on Fedora 23 and establishing cross-forest trust to
> FreeIPA on my Google+ page: https://plus.google.com/+AlexanderBokovoy/posts/NgozL7Rgw64
>
> The patches to Samba are in Andreas' git tree, plus few changes Simo did
> for proper generation of the salt for interdomain trust object keys.
> Currently Samba generates the salt principal wrongly for TDO keys and it
> works in Heimdal only because Heimdal users RC4 keys for cross-realm
> trust which does not use the salt.
>
> Once Simo fixed the salt in password_hash ldb module, we were able to
> complete trust to FreeIPA in such way that MIT KDC was able to respond
> on AS request for the interdomain TDO principal and SSSD on FreeIPA side
> was able to use the resulting Kerberos session to authenticate with SASL
> GSSAPI to Samba AD's LDAP to look up users and groups. The POSIX
> attributes are managed by FreeIPA (UID/GIDs are autogenerated in this
> deployment) but they can also be picked up from Samba AD.
>
> We plan to work on remaining fixes to eventually get the full Samba AD
> support in Fedora 24, but this represents a huge milestone in our four
> year quest to make it a reality.
>
> Thanks to everyone!
Congratulations Alexander and the rest of the Red Hat Team !
This is *wonderful* work !
Looking forward to see this land in Samba.
Cheers and thanks for all the work,
Jeremy.
More information about the samba-technical
mailing list