On 3 Dec 2015 19:14, "Alexander Bokovoy" <abokovoy@redhat.com> wrote:
>
> Hi,
>
> (repost to Fedora development)
>
> I've posted few screenshots of the current status of Samba AD with MIT
> Kerberos running on Fedora 23 and establishing cross-forest trust to
> FreeIPA on my Google+ page:
> https://plus.google.com/+AlexanderBokovoy/posts/NgozL7Rgw64
>

Having worked with freeipa in the past, and having some idea of what's involved here, I have to say: congratulations, this is a super-human effort :)

> The patches to Samba are in Andreas' git tree, plus few changes Simo did
> for proper generation of the salt for interdomain trust object keys.
> Currently Samba generates the salt principal wrongly for TDO keys and it
> works in Heimdal only because Heimdal users RC4 keys for cross-realm
> trust which does not use the salt.
>
> Once Simo fixed the salt in password_hash ldb module, we were able to
> complete trust to FreeIPA in such way that MIT KDC was able to respond
> on AS request for the interdomain TDO principal and SSSD on FreeIPA side
> was able to use the resulting Kerberos session to authenticate with SASL
> GSSAPI to Samba AD's LDAP to look up users and groups. The POSIX
> attributes are managed by FreeIPA (UID/GIDs are autogenerated in this
> deployment) but they can also be picked up from Samba AD.
>
> We plan to work on remaining fixes to eventually get the full Samba AD
> support in Fedora 24, but this represents a huge milestone in our four
> year quest to make it a reality.
>
> Thanks to everyone!
>
> --
> / Alexander Bokovoy
> --
> devel mailing list
> devel@lists.fedoraproject.org
> http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org