mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
0c08faf3c1
Previously, ipadb_check_logon_info() was called only for cross-realm case. Now we call it for both in-realm and cross-realm cases. In case of the S4U2Proxy, we would be passed a PAC of the original caller which might be a principal from the trusted realm. We cannot validate that PAC against our local client DB entry because this is the proxy entry which is guaranteed to have different SID. In such case, validate the SID of the domain in PAC against our realm and any trusted doman but skip an additional check of the DB entry in the S4U2Proxy case. Related: https://pagure.io/freeipa/issue/9031 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> |
||
---|---|---|
.. | ||
dnssec | ||
ipa-kdb | ||
ipa-otpd | ||
ipa-sam | ||
ipa-slapi-plugins | ||
ipa-version.h.in | ||
Makefile.am |