mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
0c32ebf858
When PAC check is performed, we might get a signing TGT instead of the client DB entry. This means it is a principal from a trusted domain but we don't know which one exactly because we only have a krbtgt for the forest root. This happens in MIT Kerberos 1.20 or later where KDB's issue_pac() callback never gets the original client principal directly. Look into known child domains as well and make pass the check if both NetBIOS name and SID correspond to one of the trusted domains under this forest root. Move check for the SID before NetBIOS name check because we can use SID of the domain in PAC to find out the right child domain in our trusted domains' topology list. Fixes: https://pagure.io/freeipa/issue/9316 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> |
||
---|---|---|
.. | ||
dnssec | ||
ipa-kdb | ||
ipa-otpd | ||
ipa-sam | ||
ipa-slapi-plugins | ||
ipa-version.h.in | ||
Makefile.am |