Commit - freeipa - 3d0decd9efc4883328e95f9ff89002aec32462ec

freeipa

`3d0decd` ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT

1 file Authored by abbra 2 years ago, Committed by frenaud 2 years ago,

raw patch tree parent

1 file changed. 33 lines added. 11 lines removed.

    ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT
    
    From https://krbdev.mit.edu/rt/Ticket/Display.html?id=9089
    --------
    The KDC uses the first local TGT key for the privsvr and full PAC
    checksums.  If this key is of an aes-sha2 enctype in a cross-realm
    TGT, a Microsoft KDC in the target realm may reject the ticket because
    it has an unexpectedly large privsvr checksum buffer.  This behavior
    is unnecessarily picky as the target realm KDC cannot and does not
    need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the
    checksum key to three specific enctypes.
    --------
    
    Use MIT Kerberos 1.21+ facility to hint about proper enctype for
    cross-realm TGT.
    
    Fixes: https://pagure.io/freeipa/issue/9124
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Julien Rische <jrische@redhat.com>

daemons/ipa-kdb/ipa_kdb_principals.c

file modified

+33 -11

freeipa

Source Code

3d0decd ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT

1 file Authored by abbra 2 years ago, Committed by frenaud 2 years ago,

`3d0decd` ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT