PAC validation needs to be change in order to properly function in some scenario, for example when s4u2proxy is used.
The krb5_pac_validation() function will soon be changed to allow a NULL server_key, and the krbtgt_key should always be passed to the privsvr parameter from now on.
Internal task
Patch is currently under review, ticket should be closed soon.
Fixed in: 417b9fb
Metadata Update from @simo: - Issue assigned to simo - Issue set to the milestone: FreeIPA 3.0 Trust Effort - 2011/12
Login to comment on this ticket.