diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_v6.c b/daemons/ipa-kdb/ipa_kdb_mspac_v6.c index e506a0fd2..faf47ad1b 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac_v6.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac_v6.c @@ -176,11 +176,21 @@ static krb5_error_code ipadb_sign_pac(krb5_context context, /* only pass with_realm TRUE when it is cross-realm ticket and S4U2Self * was requested */ +#ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT + kerr = krb5_pac_full_sign_compat( + context, pac, authtime, client_princ, server->princ, server_key, + right_krbtgt_signing_key, + (is_issuing_referral && (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)), + pac_data + ); +#else + /* Use standard function, PAC extended KDC signature not supported */ kerr = krb5_pac_sign_ext(context, pac, authtime, client_princ, server_key, right_krbtgt_signing_key, (is_issuing_referral && (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)), pac_data); +#endif done: free(princ); diff --git a/server.m4 b/server.m4 index a5d083fa2..2ee2cf519 100644 --- a/server.m4 +++ b/server.m4 @@ -90,6 +90,15 @@ AC_CHECK_MEMBER([kdb_vftabl.issue_pac], [have_kdb_issue_pac=yes], [have_kdb_issue_pac=no], [#include ]) +dnl --------------------------------------------------------------------------- +dnl - Check for KRB5 krb5_kdc_sign_ticket function +dnl --------------------------------------------------------------------------- + +AC_CHECK_LIB(krb5, krb5_pac_full_sign_compat, + [AC_DEFINE([HAVE_KRB5_PAC_FULL_SIGN_COMPAT], [1], + [krb5_pac_full_sign_compat() is available.])], + [AC_MSG_NOTICE([krb5_pac_full_sign_compat() is not available])]) + dnl --------------------------------------------------------------------------- dnl - Check for UUID library dnl ---------------------------------------------------------------------------