Alexander BokovoyMay 12, 2025

#YesterdayAtWork:

- together with @cryptomilk we've got #localkdc to handle IP addresses associated with the host as aliases for Kerberos authentication. You'd be able to do SMB3 with Kerberos using IP address and still use Kerberos auth. This is work in progress.

- keep discussing with DocHelp folks IAKERB interop with Windows. Both sides need some work, which is exciting. MSFT also works on improvements in the collaboration area: https://bsky.app/profile/syfuhs.net/post/3lny4ppwevs2x

..

Steve Syfuhs (@syfuhs.net)

And yes, I hear you. We're working on an integration program with industry and open source folks to get more eyes on implementation, beyond the protocol stuff. Fleshing that out right now, so expect to see some news on that in the next couple months.

Bluesky Social
Andreas SchneiderApr 3, 2025

I've created the first alpha release of libkirmes, a Rust and C library which provides an API to access the systemd userdb.

It will be used in our localkdc project to enrich user information of a user in our kerberos database with information from the local userdb.

https://crates.io/crates/kirmes

#systemd #kerberos #iakerb #localkdc

crates.io: Rust Package Registry

Andreas SchneiderNov 19, 2024
Here we go. This is a Samba client and server implementing IAKerb support. The client uses the principal from the local KDC on the Samba server to get a Kerberos ticket using IAKerb. This means, we get a krbtgt and service ticket over the SMB connection. No kerberos setup needed on the client.
#samba #smb #iakerb #krb5 #kerberos #localkdc
Alexander BokovoyNov 19, 2024
#YesterdayAtWork:
- added support to specify a sub-CA in #ACME PKI issuer in #Dogtag, got it merged in one day, which is a progress. Haven't wrote Java for about a year? https://github.com/dogtagpki/pki/pull/4903
- once released, need to support it in #FreeIPA https://pagure.io/freeipa/issue/9701
- worked with @cryptomilk on socket activation of the #localkdc. Andreas published a small demo: https://mastodon.social/@cryptomilk/113505027218036937
- experimented with 32-bit full ID range in FreeIPA. Apart from IPA API fixes, the rest seems to work.
ACME PKI issuer: add support for Authority ID or DN by abbra · Pull Request #4903 · dogtagpki/pki

Allow issuing ACME certificates using a specific authority. This would allow FreeIPA to specify a particular subCA to handle ACME certificates. Fixes: #4902

GitHub
Andreas SchneiderNov 18, 2024

@abbra and I hack on local KDC support for Linux since a while now. Last week I started to implement socket activation support in MIT Kerberos. Then I created a localkdc project in order to configure and set up a local KDC easily on Linux. We use systemd socket activation to listen on a unix socket (/run/localkdc/kdc.sock) and start the KDC on demand. See the small clip 🙂

https://gitlab.com/cryptomilk/localkdc
https://copr.fedorainfracloud.org/coprs/asn/localkdc/ #krb5 #kerberos #localkdc

Andreas Schneider / localkdc · GitLab

GitLab.com

GitLab
Andreas SchneiderSep 27, 2024
Today @abbra and I successfully did the first kinit in MIT Kerberos over a unix domain socket. #krb5 #localkdc
Andreas SchneiderApr 29, 2024

I have an initial implementation of IAKerb in Samba working.

https://k5wiki.kerberos.org/wiki/Projects/IAKERB

#samba #krb5 #localkdc

Projects/IAKERB - K5Wiki