[Freeipa-devel] [PATCH 562-563] Fix ipa-sam to use the getkeytab control instead of the setkeytab control

Thu Dec 3 19:14:53 UTC 2015

On Thu, 03 Dec 2015, Simo Sorce wrote:
>On Thu, 2015-12-03 at 19:33 +0200, Alexander Bokovoy wrote:
>> On Thu, 03 Dec 2015, Simo Sorce wrote:
>> >The first patch is preparatory and is needed in general now that we want
>> >top allow alias and use krbCanonicalName as the canonical name when
>> >multiple values are avilable in krbPrincipalName.
>> >
>> >The second patch changes slightly how the interdomain trust account is
>> >created so that the getkeytab control can generate the proper key (with
>> >the right salt) for interop reasons with AD. The change should be
>> >upgrade safe because keys are generate at account creation so older
>> >accounts lacking the alias won't be a problem.
>> >
>> >Fixes ##5495
>> Thanks. ACK to both. They work for me against Windows Server 2012R2.
>>
>> Now we need to fix Samba AD salt generation so that it is compatible
>> with both Windows and FreeIPA for AES/DES keys and not only RC4... ;)
>
>And so we did:
>https://git.samba.org/?p=idra/samba.git;a=commitdiff;h=8e87601a998b43f58589ff88341946ca4d9ab5ee;hp=412cefc7c8222ccc77e15099a162f9fb7bb01c57
>and:
>https://twitter.com/abbrasuo/status/672480716928716800
>
>:-)
Yep, thanks Simo!

I've posted few screenshots of the current status of Samba AD with MIT
Kerberos running on Fedora 23 and establishing cross-forest trust to
FreeIPA on my Google+ page:
https://plus.google.com/+AlexanderBokovoy/posts/NgozL7Rgw64

The patches to Samba are in Andreas' git tree, plus few changes Simo did
for proper generation of the salt for interdomain trust object keys.
Currently Samba generates the salt principal wrongly for TDO keys and it
works in Heimdal only because Heimdal users RC4 keys for cross-realm
trust which does not use the salt.

Once Simo fixed the salt in password_hash ldb module, we were able to
complete trust to FreeIPA in such way that MIT KDC was able to respond
on AS request for the interdomain TDO principal and SSSD on FreeIPA side
was able to use the resulting Kerberos session to authenticate with SASL
GSSAPI to Samba AD's LDAP to look up users and groups. The POSIX
attributes are managed by FreeIPA (UID/GIDs are autogenerated in this
deployment) but they can also be picked up from Samba AD.

We plan to work on remaining fixes to eventually get the full Samba AD
support in Fedora 24, but this represents a huge milestone in our four
year quest to make it a reality.

Thanks to everyone!

-- 
/ Alexander Bokovoy