mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
e00f457f75
From https://krbdev.mit.edu/rt/Ticket/Display.html?id=9089 -------- The KDC uses the first local TGT key for the privsvr and full PAC checksums. If this key is of an aes-sha2 enctype in a cross-realm TGT, a Microsoft KDC in the target realm may reject the ticket because it has an unexpectedly large privsvr checksum buffer. This behavior is unnecessarily picky as the target realm KDC cannot and does not need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the checksum key to three specific enctypes. -------- Use MIT Kerberos 1.21+ facility to hint about proper enctype for cross-realm TGT. Fixes: https://pagure.io/freeipa/issue/9124 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Julien Rische <jrische@redhat.com>