Issue #3231: Need to relax MS-PAC checks - freeipa - Pagure.io

freeipa

#3231 Need to relax MS-PAC checks

Closed: Fixed None Opened 11 years ago by simo.

Windows 2012 slightly changed what it sends in the MS-PAC, and it sends a special SID in the ExtraSids buffer.

Our validation currently consideres anything bu 0 extra sids a validation error. However upon consultation with MS Documentation Engineers at the AD IO Lab and upon further reading of the docs, we shouldn't have considered this a validation error, but should simply have done filtering at most.

The validation rules needs to be relaxed otherwise we always fail to release a ticket to any TG request from users coming from a trust relationship with a Windows 2012 domain controller.

abbra commented 11 years ago

We need fail if our own SIDs are in ExtraSids.
I'll take it over.

rcritten commented 11 years ago

master: 32916d4

nkrishnan commented 11 years ago

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=910453 (Red Hat Enterprise Linux 7)

mkosek commented 10 years ago

Merge KDC LDAP components to one.

Metadata Update from @simo:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 3.1 Stabilization

7 years ago

Login to comment on this ticket.

Metadata

Assignee

Tags

None

Blocking

None

Depending on

None

Priority

critical

Milestone

FreeIPA 3.1 Stabilization

cc

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

KDC LDAP driver

blocking

None

on_review

0

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=910453

tester

None

changelog

None

design

None

Powered by Pagure 5.13.3

Documentation • File an Issue • About • SSH Hostkey/Fingerprint

© Red Hat, Inc. and others.