[Freeipa-devel] [PATCH] Add delegation info to MS-PAC
Alexander Bokovoy
abokovoy at redhat.com
Mon Sep 16 07:14:01 UTC 2013
On Mon, 16 Sep 2013, Martin Kosek wrote:
>On 09/13/2013 03:01 PM, Alexander Bokovoy wrote:
>> On Thu, 07 Feb 2013, Simo Sorce wrote:
>>> This information is not strictly required but is part of the MS-PAC
>>> specification and I had some time to kill on the plane on my last trip
>>> back.
>>>
>>> I tested it briefly with cross-realm trusts and it seem to work fine.
>>> Neither IPA nor AD2012 complained when looking at PACs, do far.
>> Reviving.
>>
>> It is actually required part as without it smbd will deny our attempt to
>> establish local part of the trust in some cases by misinterpreting what
>> we put in the PAC and thinking that a service impersonating original
>> user is the actual user but taking original user name as an account
>> name.
>>
>> With this patch everything works fine. ACK.
>>
>
>Is this fix required also for FreeIPA 3.3 and it's features? I did not
>understand that from the bug description.
Yes. It is one of fixes to the issues Tomas was seeing with his test
automation scripts.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list