LightNews
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy
@abbra.mastodon.social.ap.brid.gy
2 followers 1 following 46 posts
Samba, FreeIPA, SSSD, and a lot of other topics people remember when office infrastructure doesn't work. [bridged from https://mastodon.social/@abbra on the fediverse by https://fed.brid.gy/ ]
mastodon.social
Posts Media Videos Starter Packs
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · 2d
@3v1n0 @bagder a heritage so large it doesn't fit a single biography!
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · 2d
And actual Brno zoo booth at the OpenSSL conference
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · 2d
#openssl is a library and aligns closely with its allies. Slides from Tim and Anton talk at the OpenSSL conference.
1
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · 4d
Hope to find some time to write a blog about the CVE stuff. Unfortunately, not so many people actually wrote about the way MSFT, Samba Team, MIT Kerberos, and FreeIPA are trying to improve cross-OS security.
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · 4d
#yesterdayatwork

Past week was busy. We released #freeipa 4.12.5 with the fix for CVE-2025-7493. I think we ended up doing 13 downstream releases (RHEL+Fedora) and anticipate several weeks of busy freeipa-users@ traffic.

New FreeIPA Web UI support was merged upstream but building it on the […]
Original post on mastodon.social
mastodon.social
1 1
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · 10d
This is now in Rawhide and is integrated in fedora-packager for FEDORAPROJECT.ORG realm. Just install fedora-packager-kerberos package in Rawhide and try kinit for your Fedora account.
1
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · 17d
Recorded a small demo that shows how this looks like for FreeIPA: https://www.youtube.com/watch?v=lskGqMI9Wu8
1
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · 17d
it is `auto_fast_armor = true` in the realm section. I submitted a PR to fedora-packager package to add this to Fedora setup: https://src.fedoraproject.org/rpms/fedora-packager/pull-request/18#request_diff
1
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · 18d
Note that we'll be gating this with a sepate realm variable in krb5.conf, so in future it will require addition option added to your configuration.
1
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · 18d
I built a COPR repo for F42-F43-F44 and CentOS Stream 10 to test this patch:
```
# copr enable abbra/krb5-automated-fast
# dnf upgrade krb5-libs
```

It should work with Fedora FreeIPA instance, so if your Fedora account has OTP token enabled, you can install `fedora-packager` package and use […]
Original post on mastodon.social
mastodon.social
1
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · 18d
Screenshot of running kinit without and with automatic FAST channel acquistion in FreeIPA environment where admin user is allowed to use both password and TOTP token. With automatic FAST channel acquisition TOTP token is required without a need to add FAST channel manually.
1
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · 18d
Finally implemented automatic FAST channel acquisition in MIT Kerberos using Anonymous PKINIT. This means you don't need to do `kinit -c fast.ccache @realm && -Tfast.ccache user@REALM` anymore to get passwordless pre-authentication working in console. All apps should be able to work […]
Original post on mastodon.social
mastodon.social
1
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · 24d
#yesterdayatwork:

- #freeipa and #samba 4.23 interop fixes pushed to #fedora 43 updates stable. Not sure they are part of the Fedora 43 beta iso image, though.

- We started looking into how to automatically test Samba and FreeIPA trust interop in Fedora QA infra […]
Original post on mastodon.social
mastodon.social
1
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · 29d
- PCP 7.0 support is merged upstream and backported to Samba 4.23 series, so should be good now.

- Also helped with some patch reviews. More to come...
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · 29d
- there is still an issue on the winbindd side because it still reports there is no routing information for those domains after the fix but it is not preventing the current code to work. The routing info is there, just wrongly marked with the null secure channel type. Will look at that later.

- […]
Original post on mastodon.social
mastodon.social
1
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · 29d
#yesterdayatwork:
- the new #samba 4.23 release candidates found a bug I had in #freeipa for a decade. MS-DRSR spec forces version of ForestTrustInfo structure to be set to 1 (the only supported type) and Samba started enforcing it. FreeIPA saved the structure with a default (0) version number […]
Original post on mastodon.social
mastodon.social
1 1
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · Sep 5
One more update is that I managed to record few demos of how system accounts work: https://www.youtube.com/playlist?list=PLnztcusQEwUp23rUWp4SEZ8I2jCyyUiwb
1
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · Sep 5
Azure CI runners are slow and FreeIPA CI tests often fail there. It probably can be solved by redistributing the tests across more parallel runners but we may just move some tests to PRCI instead...
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · Sep 5
FreeIPA system accounts support is nearing completion. Spent a week to figure out why my test is failing only to find out it was a single character failure. When objects get included as references in IPA API (role, permission, etc) they mentioned in command line options using plural (e.g […]
Original post on mastodon.social
mastodon.social
3
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · Sep 5
#yesterdayatwork:
This week was intense in fixing regressions. At SambaXP we improved Samba support for Kerberos but it broke FreeIPA use of GSSProxy which we only noticed in Fedora Rawhide with 4.23 release candidates. Fixed that and during Rawhide update discovered that new PCP 7.0.0 broke […]
Original post on mastodon.social
mastodon.social
1
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · Aug 5
#yesterdayatwork

Back from vacation. Spent some time crawling through the emails, recovering my audio setup after two weeks out of home.

- started to look into automating FAST channel use when doing kinit with https://github.com/krb5/krb5/pull/1447. Greg suggested to move the logic to libkrb5 […]
Original post on mastodon.social
mastodon.social
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · Jun 26
... [continuation]
- the recent MCP spec added requirement for OAuth2 IdP to support dynamic client registration and this is something we definitely need in IPA case as well. Using existing Kerberos credentials to self-register OIDC clients is now part of the WIP design doc […]
Original post on mastodon.social
mastodon.social
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · Jun 26
#yesterdayatwork:

- helped @zlopez investigating why IPA replica couldn't be provisioned in the new Fedora datacenter. We had similar report upstream as well. This looks like a PKI/DS configuration issue but also PKI problem with VLV searches.

- filed an issue for freeipa-healthcheck to […]
Original post on mastodon.social
mastodon.social
1
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · Jun 18
#yesterdayatwork
- back from the Flock+meetings+Devconf trip that took 12 days. Flights got delayed in Prague due to thunderstorms, came back around midnight.

- Tuesday we released #freeipa 4.12.4 with a fix to CVE-2025-4404. Spent some time getting Fedora builds done. RHEL builds were released […]
Original post on mastodon.social
mastodon.social
abbra.mastodon.social.ap.brid.gy
Alexander Bokovoy @abbra.mastodon.social.ap.brid.gy · May 22
#yesterdayatwork:
It is a Red Hat Summit's week and I'm in Boston.
- ran a talk about post-quantum crypto in RHEL together with @simo5 and Amy.
- gave 4 lightning talks about different #freeipa features that we either have implemented recently or are working upstream:
- `ipa-migrate`
- […]
Original post on mastodon.social
mastodon.social