Mastodon

Alexander Bokovoy<a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: It is a Red Hat Summit's week and I'm in Boston. - ran a talk about post-quantum crypto in RHEL together with <a href="https://fosstodon.org/@simo5" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@simo5</a> and Amy. - gave 4 lightning talks about different <a href="https://mastodon.social/tags/FreeIPA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FreeIPA</a> features that we either have implemented recently or are working upstream: - `ipa-migrate` - `ipa-tuura` integration with <a href="https://mastodon.social/tags/Keycloak" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Keycloak</a> - IPA-IPA trust demo - dynamic inventory in ansible-freeipa - had a bunch of meetings with customers, tomorrow will have more - met a lot of <a href="https://mastodon.social/tags/FreeIPA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FreeIPA</a> users

Alexander Bokovoy<a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: - together with <a href="https://mastodon.social/@cryptomilk" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@cryptomilk</a> we've got <a href="https://mastodon.social/tags/localkdc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#localkdc</a> to handle IP addresses associated with the host as aliases for Kerberos authentication. You'd be able to do SMB3 with Kerberos using IP address and still use Kerberos auth. This is work in progress.- keep discussing with DocHelp folks IAKERB interop with Windows. Both sides need some work, which is exciting. MSFT also works on improvements in the collaboration area: <a href="https://bsky.app/profile/syfuhs.net/post/3lny4ppwevs2x" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://bsky.app/profile/syfuhs.net/post/3lny4ppwevs2x</a>..

Alexander Bokovoy<a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>, or rather for couple weeks: - in <a href="https://mastodon.social/tags/FreeIPA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FreeIPA</a> completed DNSSEC support recovery after OpenSSL provider API migration - in order to merge that upstream, we had to migrate to Fedora 42 builds in CI. This wasn't easy for our Azure CI - python-dnspython removal in Fedora caused additional turmoil; luckily, Python team did react quickly (from bug to fix in F42 stable under one day) - started looking into IP address-based aliases in local KDC together with <a href="https://mastodon.social/@cryptomilk" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@cryptomilk</a> ...

Alexander Bokovoy<a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: Finished backporting FreeIPA Encrypted DNS support to Fedora. It took several steps, as <a href="https://fosstodon.org/@pemensik" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@pemensik</a> had to do DoT and OpenSSL provider API support backport to Bind 9.18 first, then I had to fix upgrade code that switched our Bind setup from OpenSSL engine use to OpenSSL provider.These fixes landed in Fedora 42 updates-testing and in Rawhide, the packages are pretty much the same as in CentOS 10 Stream. However, that means ansible-freeipa cannot install them due to ...

Alexander BokovoyPast week's <a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: - Discussed with Greg and Nico IAKERB changes we need to make sure local KDC-issued tickets can work in cross-realm environments. We need IAKERB spec update to clarify the error handling to allow exchanges to proceed properly and not to drop the connection. Todo: draft spec update proposal.- Augeas CVE fix got merged upstream, one outstanding PR less.- On the same topic, my VHS PR got closed but an alternative (3rd, already) fix was merged and it is working.

Alexander Bokovoy<a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: - IAKERB realm discovery changes merged to MIT Kerberos development branch, as well as fixes to shortcut crashes. They'll appear in the next MIT Kerberos release. So we are good here. - continue working on sysaccounts support API for <a href="https://mastodon.social/tags/FreeIPA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FreeIPA</a> - helped <a href="https://mastodon.social/@cryptomilk" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@cryptomilk</a> with reviews in Kirmes. Basic userdb communication works fine now and Rust code is accessible from C apps. Next step is to find out how we can do proper async stuff as Rust version of libvarlink cannot do async yet.

Alexander Bokovoy<a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: Thursday/Friday were spent in iakerb land. We mostly fixed realm discovery, found a bug in iakerb state machine shortcuts that existed for ~10 years if not more. There is an issue in mixed use of Kerberos and IAKerb mechs which we cannot currently solve, so this will be handled later.Next part is to fix Samba command line processing. Samba cannot combine an explicit user name and a credentials cache on the command line. This needs to be fixed but there are edge cases.

Alexander Bokovoy<a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: - When adjusting full 32-bit IDs pull request to review comments, found a bug in a separate upgrade plugin in <a href="https://mastodon.social/tags/FreeIPA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FreeIPA</a>. The issue shouldn't happen in normal situation, uncovered by my new changes only. The PR is acked now, so should land in release branches soon.- Got IAKerb discovery working for both client and target names. Found out that Wireshark parsing of IAKerb does not support discovery operations. Need a fix!...

Alexander Bokovoy<a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: (more of end of past week + today) - worked with <a href="https://mastodon.social/@cryptomilk" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@cryptomilk</a> on IAKerb discovery in MIT Kerberos. Submitted <a href="https://github.com/krb5/krb5/pull/1415" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/krb5/krb5/pull/1415</a> which implements client side of the default server realm discovery. It needs target service realm propagation as well but we need to discuss things with MIT first.- finished 32-bit ID range support, tests also work in <a href="https://github.com/freeipa/freeipa/pull/7713" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/freeipa/freeipa/pull/7713</a>.- close to finishing eDNS design doc review and prepare for FreeIPA upstream release.

Alexander Bokovoy<a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: - meetings, meetings- first cut of 32-bit ID ranges support in <a href="https://mastodon.social/tags/FreeIPA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FreeIPA</a>. Next step is to actually test a switch over procedure and write docs- talked to <a href="https://hachyderm.io/@SteveSyfuhs" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@SteveSyfuhs</a> on how we can get early interop with Windows version of localkdc/iakerb. Hopefully, something will come out before SDC IOLab.- Julien submitted a PR to support multiple master keys in FreeIPA. ToDo: tests and review, but it looks promising.

Alexander Bokovoy<a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: - getting closer to replace outdated vagrant VMs with ipalab-config-based setup for <a href="https://mastodon.social/tags/FreeIPA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FreeIPA</a> modern Web UI development. Some issues with Cypress tests still need to be figured out- Greg did merge alias support to KDB. All basic infra for localkdc is now in MIT <a href="https://mastodon.social/tags/Kerberos" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Kerberos</a> upstream.

Alexander Bokovoy<a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: - finished up bits and pieces of the <a href="https://mastodon.social/tags/FreeIPA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FreeIPA</a> local tests repo, <a href="https://github.com/abbra/freeipa-local-tests/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/abbra/freeipa-local-tests/</a>- made a minimal demo lab available. It produces one server and one enrolled client, with a purpose to demonstrate how to extend a demo (including video recording). - started libouath2 2.1.0 packaging but was stopped by the mainframe builds lagging. Will finish today.Published a blog: <a href="https://vda.li/en/posts/2025/02/14/FreeIPA-local-tests/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://vda.li/en/posts/2025/02/14/FreeIPA-local-tests/</a>

Alexander Bokovoy<a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: - mostly Thursday-Monday, really.- worked on encrypted DNS PR review for FreeiPA. Found some issues but in the end we solved all what mattered and the PR merged upstream. No release yet as we need remaining package updates in Fedora/CentOS Stream first. C10S builds today.- Samba 4.22.0RC1 is in F42/F43(Rawhide) with SMB3 UNIX extensions enabled by default. Needs Linux 6.13+ with some kernel-side fixes but should finally give home directories on encrypted SMB3, full POSIX.

Alexander BokovoyThis will mostly go for the past week, not a day, as there were CentOS Connect and FOSDEM <a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: - travelled to Brussels on Wednesday - attended CentOS Connect on Thursday/Friday. Lots of hallway track discussions. - productive talks with alternative images SIG and hyperscale SIG folks on Thursday. Some clearing up of the potential issues in early boot that systemd folks weren't aware of. Our encrypted DNS work is popping up in interested places....

Alexander Bokovoy<a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: This is mostly Friday-Sunday, preparation to FOSDEM is ongoing.- got local KDC demos fully automated. It is a relief. - in the process of doing them realised we need to rebuild Samba in the asn/localkdc COPR as newer Samba build went to Fedora. Andreas rebuilt it. - Also we need update to Samba IAKerb support to work with existing Kerberos ccaches. <a href="https://mastodon.social/@cryptomilk" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@cryptomilk</a> will look at that - more changes will be needed for easier UX (discover realms, foreign creds, etc) ...

Alexander Bokovoy<a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: - rebuilt slapi-nis and python-whoosh in <a href="https://mastodon.social/tags/Fedora" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Fedora</a> rawhide after mass rebuild failures - Greg continues to poke possible ACL issues with aliases in <a href="https://github.com/krb5/krb5/pull/1393" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/krb5/krb5/pull/1393</a>. It is an interesting example of how to look at new features which take a little to implement but grow in scope. - Trivino did a bit of reorganization for our demos, now ipalab-config demos are in a separate folder: <a href="https://github.com/abbra/freeipa-local-tests/tree/main/ipalab-config" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/abbra/freeipa-local-tests/tree/main/ipalab-config</a>

Alexander Bokovoy<a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: - looked at the fallout of Fedora mass rebuild with GCC 15. Few broken packages, nothing dramatic, small patches needed. Will work on the fixes today- I'll fix python-whoosh this time but probably will have to disable internal tests. The only real dependency left in Fedora is mailman's web UI.- Steve started looking at smb3.ko support for IAKerb and Local KDC. Found some bugs in localkdc package, will be looking at that today/tomorrow.

Alexander Bokovoy<a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: - meetings - got external IdP tests reintroduced to <a href="https://mastodon.social/tags/FreeIPA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FreeIPA</a> gating and client secret regression fixed (now in all branches). TODO: rebuild Fedora packages - looked at python-whoosh which does not build in Rawhide. When fixing sphinx references got to a test that now fails on older Fedora. whoosh is not active upstream, things about to get orphaned again, it seems - started working on bind-dyndb-ldap release to support bind 9.18. All patches are in git master......

Alexander BokovoyMostly Friday and Saturday but also today. <a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: - Worked on converting <a href="https://mastodon.social/tags/FreeIPA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FreeIPA</a> Web UI CI testing to use ipalab-config. Discovered in the process that some tests don't work with newer cypress. Also found that some logic in web ui components is different from what IPA allows to do. - Fixed one fall off from CVE 2024-11029 fixes in IPA. A CI test for this use case isn't running due to changes in Keycloak and now I'm trying to improve that test ....

Alexander Bokovoy<a href="https://mastodon.social/tags/YesterdayAtWork" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#YesterdayAtWork</a>: - MSFT dochelp confirmed we'd need to support another checksum field in pkAuthenticator in PKINIT exchange to be able to use non-SHA1 checksums. This certainly can cause compatibility issues with older releases. - On the other hand, Windows seems to have some difference when using ECDH vs FFDH in this scenario and the specs aren't really up to date, so both sides need some work. - worked on converting freeipa-webui CI from use of vagrant to podman-compose + ipalab-config...

Recent searches

Search options

Administered by:

Server stats:

#yesterdayatwork