mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-28 09:06:44 -06:00
d3ccfefaa4
When incoming SID blacklist contains exact SIDs of users and groups, attempt to filter them out as well, according to [MS-PAC] 4.1.1.2. Note that we treat user's SID and primary group RID filtering as violation of the KDC policy because the resulting MS-PAC will have no user SID or primary group and thus will be invalid. For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1 it is OK to have empty group RIDs array as GroupCount SHOULD be equal to Groups.MembershipCount returned by SamrGetGroupsForUser [MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty. Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475 Reviewed-By: Tomas Babej <tbabej@redhat.com> |
||
|---|---|---|
| .. | ||
| tests | ||
| ipa_kdb_audit_as.c | ||
| ipa_kdb_common.c | ||
| ipa_kdb_delegation.c | ||
| ipa_kdb_mkey.c | ||
| ipa_kdb_mspac.c | ||
| ipa_kdb_passwords.c | ||
| ipa_kdb_principals.c | ||
| ipa_kdb_pwdpolicy.c | ||
| ipa_kdb.c | ||
| ipa_kdb.exports | ||
| ipa_kdb.h | ||
| Makefile.am | ||
| README | ||
| README.s4u2proxy.txt | ||
This is the ipa krb5kdc database backend.