IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
015ae27598
freeipa/daemons
History
Alexander Bokovoy 015ae27598 ipa-kdb: add asserted identity SIDs 
Depending on whether identity of a principal was asserted by the KDC or
by a service doing protocol transition (S4U2Self), AD DCs add a
special extra SID to a PAC record:

 - S-1-18-1 is a SID for an Authentication Authority Asserted Identity
 - S-1-18-2 is a SID for a Service Asserted Identity

This behavior is governed by [MS-SFU] 3.2.5.1.2 "KDC replies with Service
Ticket".

In order to add an asserted identity SID, we need to pass down the
client flags as set by the KDC and check for a protocol transition bit.

Fixes: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-27 17:57:39 +03:00
..
dnssec Fix various OpenDNSSEC 2.1 issues 2020-04-21 21:37:06 +02:00
ipa-kdb ipa-kdb: add asserted identity SIDs 2020-05-27 17:57:39 +03:00
ipa-otpd Py3: Replace six.moves imports 2018-10-05 12:06:19 +02:00
ipa-sam Use /run and /run/lock instead of /var 2020-04-15 18:48:50 +02:00
ipa-slapi-plugins CVE-2020-1722: prevent use of too long passwords 2020-04-14 12:36:01 +03:00
ipa-version.h.in Build: move version handling from Makefile to configure 2016-11-09 13:08:32 +01:00
Makefile.am Build: properly integrate ipa-version.h.in into build system 2016-11-29 15:28:24 +01:00