[Freeipa-devel] [PATCH] Add delegation info to MS-PAC
Petr Viktorin
pviktori at redhat.com
Fri Sep 13 16:06:06 UTC 2013
On 09/13/2013 03:01 PM, Alexander Bokovoy wrote:
> On Thu, 07 Feb 2013, Simo Sorce wrote:
>> This information is not strictly required but is part of the MS-PAC
>> specification and I had some time to kill on the plane on my last trip
>> back.
>>
>> I tested it briefly with cross-realm trusts and it seem to work fine.
>> Neither IPA nor AD2012 complained when looking at PACs, do far.
> Reviving.
>
> It is actually required part as without it smbd will deny our attempt to
> establish local part of the trust in some cases by misinterpreting what
> we put in the PAC and thinking that a service impersonating original
> user is the actual user but taking original user name as an account
> name.
>
> With this patch everything works fine. ACK.
>
I've added the ticket link to the commit message, and pushed to master:
5157fd450fb33a7a3b68525a255d2976dbb0840a
--
Petr³
More information about the Freeipa-devel
mailing list