On Thu, 03 Dec 2015, Simo Sorce wrote:
The first patch is preparatory and is needed in general now that we want
top allow alias and use krbCanonicalName as the canonical name when
multiple values are avilable in krbPrincipalName.
The second patch changes slightly how the interdomain trust account is
created so that the getkeytab control can generate the proper key (with
the right salt) for interop reasons with AD. The change should be
upgrade safe because keys are generate at account creation so older
accounts lacking the alias won't be a problem.
Thanks. ACK to both. They work for me against Windows Server 2012R2.
Now we need to fix Samba AD salt generation so that it is compatible
with both Windows and FreeIPA for AES/DES keys and not only RC4... ;)
/ Alexander Bokovoy
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code