[Freeipa-devel] [PATCH] #2122 Fix PAC re-signing
Sumit Bose
sbose at redhat.com
Wed Nov 23 10:53:11 UTC 2011
On Tue, Nov 22, 2011 at 07:10:54PM -0500, Simo Sorce wrote:
> In some cases the KDC will decide to use a different checksum type when
> re-signing a PAC to include it in a service ticket.
>
> This is common in a cross-realm trust with AD as most AD DCs will use a
> HMAC-MD5-RC4 checksum while IPA's KDC will instead choose to use
> HMAC-SHA-AES when re-signing the PAC.
>
> In current MIT code re-signing a PAC with a signature that differs in
> length from the original will cause an error.
>
> While MIT should handle this properly, we use the workaround of
> regenerating the PAC from scratch so that there is no trace of the
> previous signatures.
>
> Tested while obtaining a cross-realm ticket from an AD domain against a
> service belonging to an IPA domain.
I see "authdata (kdb) handling failure: Cannot allocate memory" in
krb5kdc.log when trying to log in with putty into the IPA server. Do you
already have an idea or shall I start gdb?
bye,
Sumit
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list