[Freeipa-devel] [PATCH] Add delegation info to MS-PAC
Martin Kosek
mkosek at redhat.com
Mon Sep 16 07:07:25 UTC 2013
On 09/13/2013 03:01 PM, Alexander Bokovoy wrote:
> On Thu, 07 Feb 2013, Simo Sorce wrote:
>> This information is not strictly required but is part of the MS-PAC
>> specification and I had some time to kill on the plane on my last trip
>> back.
>>
>> I tested it briefly with cross-realm trusts and it seem to work fine.
>> Neither IPA nor AD2012 complained when looking at PACs, do far.
> Reviving.
>
> It is actually required part as without it smbd will deny our attempt to
> establish local part of the trust in some cases by misinterpreting what
> we put in the PAC and thinking that a service impersonating original
> user is the actual user but taking original user name as an account
> name.
>
> With this patch everything works fine. ACK.
>
Is this fix required also for FreeIPA 3.3 and it's features? I did not
understand that from the bug description.
Martin
More information about the Freeipa-devel
mailing list