Samba AD with MIT Kerberos and trust to FreeIPA update

Jeremy Allison jra at
Thu Dec 3 20:22:29 UTC 2015

On Thu, Dec 03, 2015 at 08:44:05PM +0200, Alexander Bokovoy wrote:
> Hi,
> I've posted few screenshots of the current status of Samba AD with MIT
> Kerberos running on Fedora 23 and establishing cross-forest trust to
> FreeIPA on my Google+ page:
> The patches to Samba are in Andreas' git tree, plus few changes Simo did
> for proper generation of the salt for interdomain trust object keys.
> Currently Samba generates the salt principal wrongly for TDO keys and it
> works in Heimdal only because Heimdal users RC4 keys for cross-realm
> trust which does not use the salt.
> Once Simo fixed the salt in password_hash ldb module, we were able to
> complete trust to FreeIPA in such way that MIT KDC was able to respond
> on AS request for the interdomain TDO principal and SSSD on FreeIPA side
> was able to use the resulting Kerberos session to authenticate with SASL
> GSSAPI to Samba AD's LDAP to look up users and groups. The POSIX
> attributes are managed by FreeIPA (UID/GIDs are autogenerated in this
> deployment) but they can also be picked up from Samba AD.
> We plan to work on remaining fixes to eventually get the full Samba AD
> support in Fedora 24, but this represents a huge milestone in our four
> year quest to make it a reality.
> Thanks to everyone!

Congratulations Alexander and the rest of the Red Hat Team !

This is *wonderful* work !

Looking forward to see this land in Samba.

Cheers and thanks for all the work,


More information about the samba-technical mailing list