Alexander BokovoyNov 17

Spent last week travelling.

#Yesterdayatwork:

- Tue: meeting at Uni Tartu, participating in preliminary QARC gathering as part of CHESS programme. Our EU research project is shaping well (starts in 2026).

- Wed/Thu: participated in NordSec 2025 conference. Interesting talks, nice discussions in the hallways.

- Had nice brainstorming session with @romen on PQC certificates. Need to finish up ideas into bug reports. ;)

Alexander BokovoyNov 5
#Yesterdayatwork
- #Samba Team ran an online developer gathering (https://wiki.samba.org/index.php/Samba_Developer_Online_Gathering), next one is next Tuesday
- System Accounts support merged to #FreeIPA upstream, finally, including Web UI integration: https://www.youtube.com/watch?v=cWY0deOZJms
- bunch of meetings
- got Windows Server 2025 trust with IPA working without any changes and even login to Windows (with changes)
Samba Developer Online Gathering - SambaWiki

Alexander BokovoyNov 3

#yesterdayatwork
- Got vaccinations on Thursday and they kicked off Friday night, so I was more or less sleeping whole Friday.

- Over weekend fixed a bug in IPA's PR handling tool: it does rewrite commit messages by adding reviewers and then feeds line by line into git am input. This breaks commits which include DOS line endings. Since I had a PR#7954 that just removed Windows krb5.con and friends, the PR wasn't pushable through the tool.

- Iker published CFP for FOSDEM IAM devroom (cont.)

Alexander BokovoyOct 10

#YesterdayAtWork

This week I attended OpenSSL conference in Prague, a lot of discussions, not much actual work. The conference ran really smooth.
- QUBIP folks showed amazing progress with their rust-based softtoken and Firefox post quantum crypto support.
- Highly recommend Viktor Dukhovni's Postfix use of OpenSSL talk: https://dnssec-stats.ant.isi.edu/~viktor/prague.pdf
- Had few discussions with Nico on Kerberos future (his ASN.1 tools talk is also worth watching).

Hopefully, videos will be public in few weeks.

Alexander BokovoyOct 5

#yesterdayatwork

Past week was busy. We released #FreeIPA 4.12.5 with the fix for CVE-2025-7493. I think we ended up doing 13 downstream releases (RHEL+Fedora) and anticipate several weeks of busy freeipa-users@ traffic.

New FreeIPA Web UI support was merged upstream but building it on the mainframe is not possible, so branching to 4.13 pre-releases is delayed.

Next week is OpenSSL conference in Prague, a lot of talks in preparation to PQC support work.

Alexander BokovoySep 15, 2025

#YesterdayAtWork:

- #FreeIPA and #Samba 4.23 interop fixes pushed to #Fedora 43 updates stable. Not sure they are part of the Fedora 43 beta iso image, though.

- We started looking into how to automatically test Samba and FreeIPA trust interop in Fedora QA infra: https://lists.fedoraproject.org/archives/list/[email protected]/thread/4JZ2VS6CYNVMBYR45ND62OULXZZ2MLMA/, if anyone wants to help, please contact me.

- Ran FreeIPA sysaccounts demo for Red Hat's teams and found couple bugs, nice demo effect. Fixed.

- Worked on couple more fixes to enforce attribute uniqueness.

Expansion to fedora server's release criteria regarding trust betweenFreeIPA and Samba - server - Fedora mailing-lists

Alexander BokovoySep 10, 2025

#YesterdayAtWork:
- the new #Samba 4.23 release candidates found a bug I had in #FreeIPA for a decade. MS-DRSR spec forces version of ForestTrustInfo structure to be set to 1 (the only supported type) and Samba started enforcing it. FreeIPA saved the structure with a default (0) version number and now Samba doesn't accept it leading to rejection of trusted domains reported by FreeIPA. Fixed and will be in Fedora 43 beta thanks to the exception granted.

1/

Alexander BokovoySep 5, 2025

#YesterdayAtWork:
This week was intense in fixing regressions. At SambaXP we improved Samba support for Kerberos but it broke FreeIPA use of GSSProxy which we only noticed in Fedora Rawhide with 4.23 release candidates. Fixed that and during Rawhide update discovered that new PCP 7.0.0 broke ctdb in Samba. Took some time to fix that too, thanks to PCP maintainers!

Hopefully, upstream changes will be merged before Samba 4.23.0 final release.

1/

Alexander BokovoyAug 5, 2025

#YesterdayAtWork

Back from vacation. Spent some time crawling through the emails, recovering my audio setup after two weeks out of home.

- started to look into automating FAST channel use when doing kinit with https://github.com/krb5/krb5/pull/1447. Greg suggested to move the logic to libkrb5 so that all apps can benefit

- Reviewed some pull requests and WIP patches. Samba ones should land in 4.23, hopefully.

- struggled with Fedora DDoSes. Q^%&@@#!

kinit: add -N to obtain anonymous PKINIT as an armor automatically by abbra · Pull Request #1447 · krb5/krb5

For multi-factor preauthentication methods one has to use an armor ccache to create a FAST channel. This can be done by calling kinit twice: kinit -c ./fast_armor @realm kinit -T ./fast_armor princ...

GitHub
Alexander BokovoyJun 26, 2025

#YesterdayAtWork:

- helped @zlopez investigating why IPA replica couldn't be provisioned in the new Fedora datacenter. We had similar report upstream as well. This looks like a PKI/DS configuration issue but also PKI problem with VLV searches.

- filed an issue for freeipa-healthcheck to identify broken configurations for the above and suggest adjustments.

- read through new MCP spec and found that there are similar needs there for authentication/authorization we have in IPA for OAuth2 IdP..