On Thu, 2015-12-03 at 19:33 +0200, Alexander Bokovoy wrote:
> On Thu, 03 Dec 2015, Simo Sorce wrote:
> >The first patch is preparatory and is needed in general now that we want
> >top allow alias and use krbCanonicalName as the canonical name when
> >multiple values are avilable in krbPrincipalName.
> >
> >The second patch changes slightly how the interdomain trust account is
> >created so that the getkeytab control can generate the proper key (with
> >the right salt) for interop reasons with AD. The change should be
> >upgrade safe because keys are generate at account creation so older
> >accounts lacking the alias won't be a problem.
> >
> >Fixes ##5495
> Thanks. ACK to both. They work for me against Windows Server 2012R2.
> 
> Now we need to fix Samba AD salt generation so that it is compatible
> with both Windows and FreeIPA for AES/DES keys and not only RC4... ;)

And so we did:
https://git.samba.org/?p=idra/samba.git;a=commitdiff;h=8e87601a998b43f58589ff88341946ca4d9ab5ee;hp=412cefc7c8222ccc77e15099a162f9fb7bb01c57
and:
https://twitter.com/abbrasuo/status/672480716928716800

:-)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to