Samba AD and MIT KDC

Andreas Schneider asn at samba.org
Tue May 2 06:19:28 UTC 2017 

On Sunday, 30 April 2017 17:48:11 CEST Jeremy Allison via samba-technical 
wrote:
> On Sun, Apr 30, 2017 at 03:30:03AM +0200, Andreas Schneider wrote:
> > The branch, master has been updated
> > 
> >        via  68d0c29 mit_samba: Fix principal lookup for cross domain
> >        referral
> >        via  764e485 mit-samba: Remove obsolete mit_samba_update_pac_data()
> >        via  0668c46 s4-kdc: Use mit_samba_reget_pac() in ks_verify_pac()
> >        via  648388a s4-kdc: Implement mit_samba_reget_pac()
> >        via  9c33e96 s4-pac-glue: Do not add an empty PAC_TYPE_LOGON_NAME
> >        with MIT
> >        via  a72eecd mit-samba: Remove unused mit_samba_get_pac_data()
> >        via  bff4311 s4-kdc: Use mit_samba_get_pac() in ks_get_pac()
> >        via  e240cff s4-kdc: Implement mit_samba_get_pac()
> >        via  ecf42ce s4-kdc: Fix logging with the KDB driver
> >        via  2a43c8d s4-torture: Fix reauth tests with smaller clockskew
> >        grace time
> >        via  57edd3e waf: Move python build instructions to wscript
> >        via  9b932d6 python: Add provisioning support for MIT KDC in
> >        samba-tool
> >        via  18917d2 python: Add py_is_heimdal_built() to pyglue
> >        via  09f84d0 selftest: Add a variable to indicate that selftest is
> >        running
> >        via  fecbc81 waf: Create kerberos_implementation.py for
> >        provisioning
> >        via  41f0349 selftest: Skip s4u2proxy tests, no support yet
> >        via  c511313 testprogs: Add MIT Kerberos specific kpasswd blackbox
> >        test
> >        via  dce438e s4-kdc: Start the kpasswd service with MIT KDC
> >        via  ec7cdcc waf: Search for MIT kadm-server library
> >        via  a1d9e88 s4-kdc: Add MIT Kerberos specific kpasswd code
> >        via  088f171 s4-torture: Add AES and RC4 enctype checks
> >        via  3b0f1c2 s4-torture: Add TORTURE_KRB5_TEST_CLOCK_SKEW test
> >        via  3022307 s4-torture: Add TORTURE_KRB5_TEST_BREAK_PW test
> >        via  5d51e4b s4-torture: Add TORTURE_KRB5_TEST_PAC_REQUEST test
> >        via  7ad7fca s4-torture: Add KDC test harness and first test
> >        via  6ffef6f waf: Only build KRB5 KDC tests when AD_DC build is
> >        enabled
> >        via  8fd03be testprogs: Add test with exported keytab from
> >        samba-tool
> >        via  1521ec4 testprogs: Add a kinit trust test for MIT KDC
> >        via  3924426 testprogs: Add test_kinit_mit.sh test
> >        via  c761f9f s4-torture: Fix kinit of samba4.blackbox.locktest
> >        via  8de3fd5 testprogs: Fix usage printout of bogus blackbox test
> >        via  bec3a18 testprogs: Fix test_chgdcpass blackbox test with MIT
> >        via  612714d s4-torture: disable s4u2self/proxy remote pac tests
> >        for MIT build for now. via  ac5427c selftest: Set clockskew grace
> >        time to 5 seconds
> >        via  c85f9b2 selftest: Setup configs for MIT KDC
> >        via  b40c920 selftest: Disable RODC tests with MIT KDC
> >        via  687da88 selftest: Start MIT KDC if Kerberos is from MIT
> >        via  6d19a66 waf: Do not disable the ntvfs fileserver when we have
> >        MIT DC build via  eaaf5ce param: Add 'mit kdc config' option to
> >        smb.conf
> >        via  6eb1ff9 s4-kdc: Register the MIT irpc PAC validation service
> >        via  6b67a39 s4-kdc: Add MIT KRB5 based irpc service for PAC
> >        validation
> >        via  32e772b s4-kdc: Add a MIT Kerberos KDC service
> >        via  7556c20 param: Add 'mit kdc command' to change the default.
> >        via  b5a67b9 waf: Check for MIT KDC binary
> >        via  990cca3 mit-kdb: Update KDB vtable for DAL version 6
> >        via  a0464e3 waf: Require MIT Kerberos 1.15.1 for Samba AD
> >        via  b161e5c mit-kdb: Zero the db principal when we allocate it
> >        via  0e84e83 samba_dnsupdate: Do not rewrite krb5.conf in selftest
> >        via  9fee64d s3-tests: Use common functions in
> >        test_smbclient_netbios_aliases.sh via  31491f8 testprogs: Add
> >        common kinit function
> >        via  f0e8d98 s4:torture: Fix the remote_pac test
> >        via  89903a3 s4:selftest: Only run auth_log tests with Heimdal
> >       
> >       from  277eac1 lsa4_srv: Factor out dcesrc_lsa_valid_AccountRight()
> 
> W00t! Congratulations Andreas and Günther !!!!
> 
> Thanks so much for getting us to this point.
> 
> Samba Enterprise-ready indeed !!! :-).

Thank you very much, there is still a lot of work ahead but this is a really 
good start.


Cheers,


	Andreas

More information about the samba-technical mailing list