Hi, (repost to Fedora development) I've posted few screenshots of the current status of Samba AD with MIT Kerberos running on Fedora 23 and establishing cross-forest trust to FreeIPA on my Google+ page: https://plus.google.com/+AlexanderBokovoy/posts/NgozL7Rgw64 The patches to Samba are in Andreas' git tree, plus few changes Simo did for proper generation of the salt for interdomain trust object keys. Currently Samba generates the salt principal wrongly for TDO keys and it works in Heimdal only because Heimdal users RC4 keys for cross-realm trust which does not use the salt. Once Simo fixed the salt in password_hash ldb module, we were able to complete trust to FreeIPA in such way that MIT KDC was able to respond on AS request for the interdomain TDO principal and SSSD on FreeIPA side was able to use the resulting Kerberos session to authenticate with SASL GSSAPI to Samba AD's LDAP to look up users and groups. The POSIX attributes are managed by FreeIPA (UID/GIDs are autogenerated in this deployment) but they can also be picked up from Samba AD. We plan to work on remaining fixes to eventually get the full Samba AD support in Fedora 24, but this represents a huge milestone in our four year quest to make it a reality. Thanks to everyone! -- / Alexander Bokovoy -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
