[Freeipa-devel] [PATCH] Add delegation info to MS-PAC
Petr Viktorin
pviktori at redhat.com
Mon Sep 16 07:54:51 UTC 2013
On 09/16/2013 09:14 AM, Alexander Bokovoy wrote:
> On Mon, 16 Sep 2013, Martin Kosek wrote:
>> On 09/13/2013 03:01 PM, Alexander Bokovoy wrote:
>>> On Thu, 07 Feb 2013, Simo Sorce wrote:
>>>> This information is not strictly required but is part of the MS-PAC
>>>> specification and I had some time to kill on the plane on my last trip
>>>> back.
>>>>
>>>> I tested it briefly with cross-realm trusts and it seem to work fine.
>>>> Neither IPA nor AD2012 complained when looking at PACs, do far.
>>> Reviving.
>>>
>>> It is actually required part as without it smbd will deny our attempt to
>>> establish local part of the trust in some cases by misinterpreting what
>>> we put in the PAC and thinking that a service impersonating original
>>> user is the actual user but taking original user name as an account
>>> name.
>>>
>>> With this patch everything works fine. ACK.
>>>
>>
>> Is this fix required also for FreeIPA 3.3 and it's features? I did not
>> understand that from the bug description.
> Yes. It is one of fixes to the issues Tomas was seeing with his test
> automation scripts.
I've also pushed it to ipa-3-3: 7de103739172e4d3690d71fb686addc4edae027e
--
Petr³
More information about the Freeipa-devel
mailing list