[Freeipa-devel] [PATCH] #2122 Fix PAC re-signing
Simo Sorce
simo at redhat.com
Wed Nov 23 00:10:54 UTC 2011
In some cases the KDC will decide to use a different checksum type when
re-signing a PAC to include it in a service ticket.
This is common in a cross-realm trust with AD as most AD DCs will use a
HMAC-MD5-RC4 checksum while IPA's KDC will instead choose to use
HMAC-SHA-AES when re-signing the PAC.
In current MIT code re-signing a PAC with a signature that differs in
length from the original will cause an error.
While MIT should handle this properly, we use the workaround of
regenerating the PAC from scratch so that there is no trace of the
previous signatures.
Tested while obtaining a cross-realm ticket from an AD domain against a
service belonging to an IPA domain.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-ipa-kdb-Support-re-signing-PAC-with-different-checks.patch
Type: text/x-patch
Size: 2688 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111122/28228882/attachment.bin>
More information about the Freeipa-devel
mailing list