The current code assumes the PAC is always signed by our own KDC. But this is not true when the TGT comes from a trusted realm.
It looks like the current code should already work. I will investigate what is making it fail.
Apparently there is a limitation within MIT code where using a different Checksum type to re-sign a PAC will cause the code to fail.
A workaround is to rebuild the PAC from scratch by extracting the buffers first so that the code will create a new PAC instead of being stuck unable to resize the signature fields.
Patch sent to list for review.
Fix in master: ba2e357
Metadata Update from @simo: - Issue assigned to simo - Issue set to the milestone: FreeIPA 3.0 Trust Effort - 2011/11
Login to comment on this ticket.