Julien Rische 9cd5f49c74 kdb: Use krb5_pac_full_sign_compat() when available ... In November 2022, Microsoft introduced a new PAC signature type called "extended KDC signature" (or "full PAC checksum"). This new PAC signature will be required by default by Active Directory in July 2023 for S4U requests, and opt-out will no longer be possible after October 2023. Support for this new signature type was added to MIT krb5, but it relies on the new KDB API introduced in krb5 1.20. For older MIT krb5 versions, the code generating extended KDC signatures cannot be backported as it is without backporting the full new KDB API code too. This would have too much impact to be done. As a consequence, krb5 packages for Fedora 37, CentOS 8 Stream, and RHEL 8 will include a downstream-only update adding the krb5_pac_full_sign_compat() function, which can be used in combination with the prior to 1.20 KDB API to generate PAC extended KDC signatures. Fixes: https://pagure.io/freeipa/issue/9373 Signed-off-by: Julien Rische <jrische@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>		2023-05-24 13:20:38 +02:00
..
dnssec	pylint: remove useless suppression	2023-01-10 08:30:58 +01:00
ipa-kdb	kdb: Use krb5_pac_full_sign_compat() when available	2023-05-24 13:20:38 +02:00
ipa-otpd	Fixes: ipa-otpd@.service: deprecated syslog setting	2022-12-19 08:06:52 +01:00
ipa-sam	ipa-sam: retrieve trusted domain account credential from the TDO itself	2022-04-13 18:37:12 +02:00
ipa-slapi-plugins	extdom: avoid sss_nss_getorigby*() calls when get*_r_wrapper() returns object from a wrong domain (performance optimization)	2022-10-04 14:01:56 +02:00
ipa-version.h.in	Build: move version handling from Makefile to configure	2016-11-09 13:08:32 +01:00
Makefile.am	build: Unify compiler warning flags used	2021-01-15 14:11:56 +01:00