Alexander Bokovoy 3e20a96c30 ipa-kdb: Always allow services to get PAC if needed ... Previously, FreeIPA only allowed to issue PAC record in a ticket for the following principal types: - for IPA users - for a host principal of one of IPA masters - for a cifs/ or HTTP/ service on one of IPA masters To allow S4U2Self operations over trust to AD, an impersonating service must have PAC record in its TGT to be able to ask AD DCs for a S4U2Self ticket. It means any IPA service performing S4U2Self would need to have PAC record and the constraints above prevent it from doing so. However, depending on whether the service or host principal belongs to one of IPA masters, we need to set proper primary RID to 516 (domain controllers) or 515 (domain computers). Fixes: https://pagure.io/freeipa/issue/8319 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Isaac Boukris <iboukris@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>		2020-05-27 17:57:39 +03:00
..
dnssec	Fix various OpenDNSSEC 2.1 issues	2020-04-21 21:37:06 +02:00
ipa-kdb	ipa-kdb: Always allow services to get PAC if needed	2020-05-27 17:57:39 +03:00
ipa-otpd	Py3: Replace six.moves imports	2018-10-05 12:06:19 +02:00
ipa-sam	Use /run and /run/lock instead of /var	2020-04-15 18:48:50 +02:00
ipa-slapi-plugins	CVE-2020-1722: prevent use of too long passwords	2020-04-14 12:36:01 +03:00
ipa-version.h.in	Build: move version handling from Makefile to configure	2016-11-09 13:08:32 +01:00
Makefile.am	Build: properly integrate ipa-version.h.in into build system	2016-11-29 15:28:24 +01:00