#yesterdayatwork — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #yesterdayatwork, aggregated by home.social.
-
Spent last week travelling.
- Tue: meeting at Uni Tartu, participating in preliminary QARC gathering as part of CHESS programme. Our EU research project is shaping well (starts in 2026).
- Wed/Thu: participated in NordSec 2025 conference. Interesting talks, nice discussions in the hallways.
- Had nice brainstorming session with @romen on PQC certificates. Need to finish up ideas into bug reports. ;)
-
#Yesterdayatwork
- #Samba Team ran an online developer gathering (https://wiki.samba.org/index.php/Samba_Developer_Online_Gathering), next one is next Tuesday
- System Accounts support merged to #FreeIPA upstream, finally, including Web UI integration: https://www.youtube.com/watch?v=cWY0deOZJms
- bunch of meetings
- got Windows Server 2025 trust with IPA working without any changes and even login to Windows (with changes) -
I'll mark this as happened yesterday though it was my morning today:
#YesterdayAtWork:
- UNIX domain socket support was merged to MIT #Kerberos upstream!
- KDB stackable driver load support was merged to MIT Kerberos upstream!
- Investigated some of #SSSD failures in #Fedora OpenQA, two separate issues: SELinux policy (already fixed upstream) and some timing desync in OpenQA that is likely an execution race
- bunch of meetings in past two days, including interesting discussions with customers -
#YesterdayAtWork:
- added support to specify a sub-CA in #ACME PKI issuer in #Dogtag, got it merged in one day, which is a progress. Haven't wrote Java for about a year? https://github.com/dogtagpki/pki/pull/4903
- once released, need to support it in #FreeIPA https://pagure.io/freeipa/issue/9701
- worked with @cryptomilk on socket activation of the #localkdc. Andreas published a small demo: https://mastodon.social/@cryptomilk/113505027218036937
- experimented with 32-bit full ID range in FreeIPA. Apart from IPA API fixes, the rest seems to work. -
#yesterdayatwork
- Got vaccinations on Thursday and they kicked off Friday night, so I was more or less sleeping whole Friday.- Over weekend fixed a bug in IPA's PR handling tool: it does rewrite commit messages by adding reviewers and then feeds line by line into git am input. This breaks commits which include DOS line endings. Since I had a PR#7954 that just removed Windows krb5.con and friends, the PR wasn't pushable through the tool.
- Iker published CFP for FOSDEM IAM devroom (cont.)
-
This week I attended OpenSSL conference in Prague, a lot of discussions, not much actual work. The conference ran really smooth.
- QUBIP folks showed amazing progress with their rust-based softtoken and Firefox post quantum crypto support.
- Highly recommend Viktor Dukhovni's Postfix use of OpenSSL talk: https://dnssec-stats.ant.isi.edu/~viktor/prague.pdf
- Had few discussions with Nico on Kerberos future (his ASN.1 tools talk is also worth watching).Hopefully, videos will be public in few weeks.
-
Past week was busy. We released #FreeIPA 4.12.5 with the fix for CVE-2025-7493. I think we ended up doing 13 downstream releases (RHEL+Fedora) and anticipate several weeks of busy freeipa-users@ traffic.
New FreeIPA Web UI support was merged upstream but building it on the mainframe is not possible, so branching to 4.13 pre-releases is delayed.
Next week is OpenSSL conference in Prague, a lot of talks in preparation to PQC support work.
-
- #FreeIPA and #Samba 4.23 interop fixes pushed to #Fedora 43 updates stable. Not sure they are part of the Fedora 43 beta iso image, though.
- We started looking into how to automatically test Samba and FreeIPA trust interop in Fedora QA infra: https://lists.fedoraproject.org/archives/list/[email protected]/thread/4JZ2VS6CYNVMBYR45ND62OULXZZ2MLMA/, if anyone wants to help, please contact me.
- Ran FreeIPA sysaccounts demo for Red Hat's teams and found couple bugs, nice demo effect. Fixed.
- Worked on couple more fixes to enforce attribute uniqueness.
-
#YesterdayAtWork:
- the new #Samba 4.23 release candidates found a bug I had in #FreeIPA for a decade. MS-DRSR spec forces version of ForestTrustInfo structure to be set to 1 (the only supported type) and Samba started enforcing it. FreeIPA saved the structure with a default (0) version number and now Samba doesn't accept it leading to rejection of trusted domains reported by FreeIPA. Fixed and will be in Fedora 43 beta thanks to the exception granted.1/
-
#YesterdayAtWork:
This week was intense in fixing regressions. At SambaXP we improved Samba support for Kerberos but it broke FreeIPA use of GSSProxy which we only noticed in Fedora Rawhide with 4.23 release candidates. Fixed that and during Rawhide update discovered that new PCP 7.0.0 broke ctdb in Samba. Took some time to fix that too, thanks to PCP maintainers!Hopefully, upstream changes will be merged before Samba 4.23.0 final release.
1/
-
Back from vacation. Spent some time crawling through the emails, recovering my audio setup after two weeks out of home.
- started to look into automating FAST channel use when doing kinit with https://github.com/krb5/krb5/pull/1447. Greg suggested to move the logic to libkrb5 so that all apps can benefit
- Reviewed some pull requests and WIP patches. Samba ones should land in 4.23, hopefully.
- struggled with Fedora DDoSes. Q^%&@@#!
-
- helped @zlopez investigating why IPA replica couldn't be provisioned in the new Fedora datacenter. We had similar report upstream as well. This looks like a PKI/DS configuration issue but also PKI problem with VLV searches.
- filed an issue for freeipa-healthcheck to identify broken configurations for the above and suggest adjustments.
- read through new MCP spec and found that there are similar needs there for authentication/authorization we have in IPA for OAuth2 IdP..
-
#YesterdayAtWork
- back from the Flock+meetings+Devconf trip that took 12 days. Flights got delayed in Prague due to thunderstorms, came back around midnight.- Tuesday we released #FreeIPA 4.12.4 with a fix to CVE-2025-4404. Spent some time getting Fedora builds done. RHEL builds were released yesterday as well, total 14 releases (Fedora + RHEL). CentOS Stream release is in progress.
- Figured out how to transparently migrate user accounts to local KDC. Need to write that down and prototype.
-
#YesterdayAtWork:
It is a Red Hat Summit's week and I'm in Boston.
- ran a talk about post-quantum crypto in RHEL together with @simo5 and Amy.
- gave 4 lightning talks about different #FreeIPA features that we either have implemented recently or are working upstream:
- `ipa-migrate`
- `ipa-tuura` integration with #Keycloak
- IPA-IPA trust demo
- dynamic inventory in ansible-freeipa
- had a bunch of meetings with customers, tomorrow will have more
- met a lot of #FreeIPA users -
- together with @cryptomilk we've got #localkdc to handle IP addresses associated with the host as aliases for Kerberos authentication. You'd be able to do SMB3 with Kerberos using IP address and still use Kerberos auth. This is work in progress.
- keep discussing with DocHelp folks IAKERB interop with Windows. Both sides need some work, which is exciting. MSFT also works on improvements in the collaboration area: https://bsky.app/profile/syfuhs.net/post/3lny4ppwevs2x
..
-
#YesterdayAtWork, or rather for couple weeks:
- in #FreeIPA completed DNSSEC support recovery after OpenSSL provider API migration
- in order to merge that upstream, we had to migrate to Fedora 42 builds in CI. This wasn't easy for our Azure CI
- python-dnspython removal in Fedora caused additional turmoil; luckily, Python team did react quickly (from bug to fix in F42 stable under one day)
- started looking into IP address-based aliases in local KDC together with @cryptomilk
... -
Finished backporting FreeIPA Encrypted DNS support to Fedora. It took several steps, as @pemensik had to do DoT and OpenSSL provider API support backport to Bind 9.18 first, then I had to fix upgrade code that switched our Bind setup from OpenSSL engine use to OpenSSL provider.
These fixes landed in Fedora 42 updates-testing and in Rawhide, the packages are pretty much the same as in CentOS 10 Stream. However, that means ansible-freeipa cannot install them due to ...
-
Past week's #YesterdayAtWork:
- Discussed with Greg and Nico IAKERB changes we need to make sure local KDC-issued tickets can work in cross-realm environments. We need IAKERB spec update to clarify the error handling to allow exchanges to proceed properly and not to drop the connection. Todo: draft spec update proposal.
- Augeas CVE fix got merged upstream, one outstanding PR less.
- On the same topic, my VHS PR got closed but an alternative (3rd, already) fix was merged and it is working.
-
#YesterdayAtWork:
- IAKERB realm discovery changes merged to MIT Kerberos development branch, as well as fixes to shortcut crashes. They'll appear in the next MIT Kerberos release. So we are good here.
- continue working on sysaccounts support API for #FreeIPA
- helped @cryptomilk with reviews in Kirmes. Basic userdb communication works fine now and Rust code is accessible from C apps. Next step is to find out how we can do proper async stuff as Rust version of libvarlink cannot do async yet. -
Thursday/Friday were spent in iakerb land. We mostly fixed realm discovery, found a bug in iakerb state machine shortcuts that existed for ~10 years if not more. There is an issue in mixed use of Kerberos and IAKerb mechs which we cannot currently solve, so this will be handled later.
Next part is to fix Samba command line processing. Samba cannot combine an explicit user name and a credentials cache on the command line. This needs to be fixed but there are edge cases.
-
- When adjusting full 32-bit IDs pull request to review comments, found a bug in a separate upgrade plugin in #FreeIPA. The issue shouldn't happen in normal situation, uncovered by my new changes only. The PR is acked now, so should land in release branches soon.
- Got IAKerb discovery working for both client and target names. Found out that Wireshark parsing of IAKerb does not support discovery operations. Need a fix!
...
-
#YesterdayAtWork: (more of end of past week + today)
- worked with @cryptomilk on IAKerb discovery in MIT Kerberos. Submitted https://github.com/krb5/krb5/pull/1415 which implements client side of the default server realm discovery. It needs target service realm propagation as well but we need to discuss things with MIT first.- finished 32-bit ID range support, tests also work in https://github.com/freeipa/freeipa/pull/7713.
- close to finishing eDNS design doc review and prepare for FreeIPA upstream release.
-
- meetings, meetings
- first cut of 32-bit ID ranges support in #FreeIPA. Next step is to actually test a switch over procedure and write docs
- talked to @SteveSyfuhs on how we can get early interop with Windows version of localkdc/iakerb. Hopefully, something will come out before SDC IOLab.
- Julien submitted a PR to support multiple master keys in FreeIPA. ToDo: tests and review, but it looks promising.
-
#YesterdayAtWork:
- finished up bits and pieces of the #FreeIPA local tests repo, https://github.com/abbra/freeipa-local-tests/- made a minimal demo lab available. It produces one server and one enrolled client, with a purpose to demonstrate how to extend a demo (including video recording).
- started libouath2 2.1.0 packaging but was stopped by the mainframe builds lagging. Will finish today.
Published a blog: https://vda.li/en/posts/2025/02/14/FreeIPA-local-tests/
-
#YesterdayAtWork:
- mostly Thursday-Monday, really.- worked on encrypted DNS PR review for FreeiPA. Found some issues but in the end we solved all what mattered and the PR merged upstream. No release yet as we need remaining package updates in Fedora/CentOS Stream first. C10S builds today.
- Samba 4.22.0RC1 is in F42/F43(Rawhide) with SMB3 UNIX extensions enabled by default. Needs Linux 6.13+ with some kernel-side fixes but should finally give home directories on encrypted SMB3, full POSIX.
-
This will mostly go for the past week, not a day, as there were CentOS Connect and FOSDEM
#YesterdayAtWork:
- travelled to Brussels on Wednesday
- attended CentOS Connect on Thursday/Friday. Lots of hallway track discussions.
- productive talks with alternative images SIG and hyperscale SIG folks on Thursday. Some clearing up of the potential issues in early boot that systemd folks weren't aware of. Our encrypted DNS work is popping up in interested places....
-
This is mostly Friday-Sunday, preparation to FOSDEM is ongoing.
- got local KDC demos fully automated. It is a relief.
- in the process of doing them realised we need to rebuild Samba in the asn/localkdc COPR as newer Samba build went to Fedora. Andreas rebuilt it.
- Also we need update to Samba IAKerb support to work with existing Kerberos ccaches. @cryptomilk will look at that
- more changes will be needed for easier UX (discover realms, foreign creds, etc)
... -
- rebuilt slapi-nis and python-whoosh in #Fedora rawhide after mass rebuild failures
- Greg continues to poke possible ACL issues with aliases in https://github.com/krb5/krb5/pull/1393. It is an interesting example of how to look at new features which take a little to implement but grow in scope.
- Trivino did a bit of reorganization for our demos, now ipalab-config demos are in a separate folder: https://github.com/abbra/freeipa-local-tests/tree/main/ipalab-config -
- looked at the fallout of Fedora mass rebuild with GCC 15. Few broken packages, nothing dramatic, small patches needed. Will work on the fixes today
- I'll fix python-whoosh this time but probably will have to disable internal tests. The only real dependency left in Fedora is mailman's web UI.
- Steve started looking at smb3.ko support for IAKerb and Local KDC. Found some bugs in localkdc package, will be looking at that today/tomorrow.
-
#YesterdayAtWork:
- meetings
- got external IdP tests reintroduced to #FreeIPA gating and client secret regression fixed (now in all branches). TODO: rebuild Fedora packages
- looked at python-whoosh which does not build in Rawhide. When fixing sphinx references got to a test that now fails on older Fedora. whoosh is not active upstream, things about to get orphaned again, it seems
- started working on bind-dyndb-ldap release to support bind 9.18. All patches are in git master......
-
Mostly Friday and Saturday but also today.
#YesterdayAtWork:
- Worked on converting #FreeIPA Web UI CI testing to use ipalab-config. Discovered in the process that some tests don't work with newer cypress. Also found that some logic in web ui components is different from what IPA allows to do.
- Fixed one fall off from CVE 2024-11029 fixes in IPA. A CI test for this use case isn't running due to changes in Keycloak and now I'm trying to improve that test
....