[Freeipa-devel] [PATCHES] #1791 Tust Effort: Add support for generating MS-PAC

[Simo Sorce]

The attached patches are for master and concern the effort of creating
trust relationships between IPA and AD domains.

With these patches if you have run ipa-adtrust-install the IPA kdc will
be able to create a MS-PAC if the user has the right attributes
ipaNTSecurityIdentifier on the user entry and on the primary group entry
are required (or a fallback primary group).
If the objects are not in place the MS-PAC generation is silently
skipped and no MS-PAC will be attached to the tickets.

The MS-PAC is always generated if all data is available, in future we
may think of making this conditional, but that is not in the scope of
this patches. 

In order to apply these patches you need the coverity fix patches #2036
#2037 I sent yesterday.

In order to build this code you need samba 4 experimental packages with
the libndr_krb5pac.so librray, header files and pkgconfig configuration
files.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-support-for-generating-PAC-for-AS-requests-for-u.patch
Type: text/x-patch
Size: 32966 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111104/d6592214/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-MS-PAC-Add-support-for-verifying-PAC-in-TGS-requests.patch
Type: text/x-patch
Size: 4020 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111104/d6592214/attachment-0001.bin>