Issue #2122: Handle PAC verification for cross realm trust krbtgts - freeipa

freeipa

#2122 Handle PAC verification for cross realm trust krbtgts

Closed: Fixed None Opened 12 years ago by simo.

The current code assumes the PAC is always signed by our own KDC. But this is not true when the TGT comes from a trusted realm.

simo commented 12 years ago

It looks like the current code should already work.
I will investigate what is making it fail.

simo commented 12 years ago

Apparently there is a limitation within MIT code where using a different Checksum type to re-sign a PAC will cause the code to fail.

A workaround is to rebuild the PAC from scratch by extracting the buffers first so that the code will create a new PAC instead of being stuck unable to resize the signature fields.

Patch sent to list for review.

simo commented 12 years ago

Fix in master: ba2e357

Metadata Update from @simo:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 3.0 Trust Effort - 2011/11

7 years ago

Metadata

Assignee

simo

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 3.0 Trust Effort - 2011/11

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#2122 Handle PAC verification for cross realm trust krbtgts Closed: Fixed None Opened 12 years ago by simo.

Metadata

#2122 Handle PAC verification for cross realm trust krbtgts

Closed: Fixed None Opened 12 years ago by simo.