Latest posts tagged with #Yesterdayatwork on Bluesky
Spent last week travelling.
#Yesterdayatwork:
- Tue: meeting at Uni Tartu, participating in preliminary QARC gathering as part of CHESS programme. Our EU research project is shaping well (starts in 2026).
- Wed/Thu: participated in NordSec 2025 conference. Interesting talks, nice discussions […]
#Yesterdayatwork
- #Samba Team ran an online developer gathering (wiki.samba.org/index.php/Samba_Develope... next one is next Tuesday
- System Accounts support merged to #FreeIPA upstream, finally, including Web UI integration: https://www.youtube.com/watch?v=cWY0deOZJms […]
#yesterdayatwork
- Got vaccinations on Thursday and they kicked off Friday night, so I was more or less sleeping whole Friday.
- Over weekend fixed a bug in IPA's PR handling tool: it does rewrite commit messages by adding reviewers and then feeds line by line into git am input. This breaks […]
#yesterdayatwork
Past week was busy. We released #FreeIPA 4.12.5 with the fix for CVE-2025-7493. I think we ended up doing 13 downstream releases (RHEL+Fedora) and anticipate several weeks of busy freeipa-users@ traffic.
New FreeIPA Web UI support was merged upstream but building it on the […]
#YesterdayAtWork:
- #FreeIPA and #Samba 4.23 interop fixes pushed to #Fedora 43 updates stable. Not sure they are part of the Fedora 43 beta iso image, though.
- We started looking into how to automatically test Samba and FreeIPA trust interop in Fedora QA infra […]
#YesterdayAtWork:
- the new #Samba 4.23 release candidates found a bug I had in #FreeIPA for a decade. MS-DRSR spec forces version of ForestTrustInfo structure to be set to 1 (the only supported type) and Samba started enforcing it. FreeIPA saved the structure with a default (0) version number […]
#YesterdayAtWork:
This week was intense in fixing regressions. At SambaXP we improved Samba support for Kerberos but it broke FreeIPA use of GSSProxy which we only noticed in Fedora Rawhide with 4.23 release candidates. Fixed that and during Rawhide update discovered that new PCP 7.0.0 broke […]
#YesterdayAtWork
Back from vacation. Spent some time crawling through the emails, recovering my audio setup after two weeks out of home.
- started to look into automating FAST channel use when doing kinit with https://github.com/krb5/krb5/pull/1447 Greg suggested to move the logic to libkrb5 […]
#YesterdayAtWork:
- helped @zlopez investigating why IPA replica couldn't be provisioned in the new Fedora datacenter. We had similar report upstream as well. This looks like a PKI/DS configuration issue but also PKI problem with VLV searches.
- filed an issue for freeipa-healthcheck to […]
#YesterdayAtWork
- back from the Flock+meetings+Devconf trip that took 12 days. Flights got delayed in Prague due to thunderstorms, came back around midnight.
- Tuesday we released #FreeIPA 4.12.4 with a fix to CVE-2025-4404. Spent some time getting Fedora builds done. RHEL builds were released […]
#YesterdayAtWork:
It is a Red Hat Summit's week and I'm in Boston.
- ran a talk about post-quantum crypto in RHEL together with @simo5 and Amy.
- gave 4 lightning talks about different #FreeIPA features that we either have implemented recently or are working upstream:
- `ipa-migrate`
- […]
#YesterdayAtWork:
- together with @cryptomilk we've got #localkdc to handle IP addresses associated with the host as aliases for Kerberos authentication. You'd be able to do SMB3 with Kerberos using IP address and still use Kerberos auth. This is work in progress.
- keep discussing with […]
#YesterdayAtWork, or rather for couple weeks:
- in #FreeIPA completed DNSSEC support recovery after OpenSSL provider API migration
- in orther to merge that upstream, we had to migrate to Fedora 42 builds in CI. This wasn't easy for our Azure CI
- python-dnspython removal in Fedora caused […]
#YesterdayAtWork:
Finished backporting FreeIPA Encrypted DNS support to Fedora. It took several steps, as @pemensik had to do DoT and OpenSSL provider API support backport to Bind 9.18 first, then I had to fix upgrade code that switched our Bind setup from OpenSSL engine use to OpenSSL provider […]
Past week's #YesterdayAtWork:
- Discussed with Greg and Nico IAKERB changes we need to make sure local KDC-issued tickets can work in cross-realm environments. We need IAKERB spec update to clarify the error handling to allow exchanges to proceed properly and not to drop the connection. Todo […]
#YesterdayAtWork:
- IAKERB realm discovery changes merged to MIT Kerberos development branch, as well as fixes to shortcut crashes. They'll appear in the next MIT Kerberos release. So we are good here.
- continue working on sysaccounts support API for #FreeIPA
- helped @cryptomilk with reviews […]
#YesterdayAtWork:
Thursday/Friday were spent in iakerb land. We mostly fixed realm discovery, found a bug in iakerb state machine shortcuts that existed for ~10 years if not more. There is an issue in mixed use of Kerberos and IAKerb mechs which we cannot currently solve, so this will be […]
#YesterdayAtWork:
- When adjusting full 32-bit IDs pull request to review comments, found a bug in a separate upgrade plugin in #FreeIPA. The issue shouldn't happen in normal situation, uncovered by my new changes only. The PR is acked now, so should land in release branches soon.
- Got […]
#YesterdayAtWork: (more of end of past week + today)
- worked with @cryptomilk on IAKerb discovery in MIT Kerberos. Submitted https://github.com/krb5/krb5/pull/1415 which implements client side of the default server realm discovery. It needs target service realm propagation as well but we need […]
#YesterdayAtWork:
- meetings, meetings
- first cut of 32-bit ID ranges support in #FreeIPA. Next step is to actually test a switch over procedure and write docs
- talked to @SteveSyfuhs on how we can get early interop with Windows version of localkdc/iakerb. Hopefully, something will come […]
