[Freeipa-devel] [PATCH 562-563] Fix ipa-sam to use the getkeytab control instead of the setkeytab control
Simo Sorce
simo at redhat.com
Thu Dec 3 18:52:35 UTC 2015
On Thu, 2015-12-03 at 19:33 +0200, Alexander Bokovoy wrote:
> On Thu, 03 Dec 2015, Simo Sorce wrote:
> >The first patch is preparatory and is needed in general now that we want
> >top allow alias and use krbCanonicalName as the canonical name when
> >multiple values are avilable in krbPrincipalName.
> >
> >The second patch changes slightly how the interdomain trust account is
> >created so that the getkeytab control can generate the proper key (with
> >the right salt) for interop reasons with AD. The change should be
> >upgrade safe because keys are generate at account creation so older
> >accounts lacking the alias won't be a problem.
> >
> >Fixes ##5495
> Thanks. ACK to both. They work for me against Windows Server 2012R2.
>
> Now we need to fix Samba AD salt generation so that it is compatible
> with both Windows and FreeIPA for AES/DES keys and not only RC4... ;)
And so we did:
https://git.samba.org/?p=idra/samba.git;a=commitdiff;h=8e87601a998b43f58589ff88341946ca4d9ab5ee;hp=412cefc7c8222ccc77e15099a162f9fb7bb01c57
and:
https://twitter.com/abbrasuo/status/672480716928716800
:-)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list