freeipa

Clone
Source Code
GIT

4723100 ipa-kdb: add UPN_DNS_INFO PAC structure

Authored and Committed by abbra 3 years ago
raw patch tree parent
1 file changed. 42 lines added. 0 lines removed.
daemons/ipa-kdb/ipa_kdb_mspac.c
file modified
+42 -0 
    ipa-kdb: add UPN_DNS_INFO PAC structure
    
    UPN_DNS_INFO structure contains the client's user principal name (UPN)
    and a fully qualified domain name. It is used to provide the UPN and the
    FQDN that corresponds to the client of the ticket.
    
    The structure is defined in MS-PAC section 2.10. MS-KILE specification
    says in the section 3.3.5.6.4.5 that KDCs should return this buffer. It
    further clarifies in section 3.3.5.2 that if the user account object has no
    userPrincipalName attribute, UPN_DNS_INFO should be constructed by
    concatenating user name, the "@" symbol, and the DNS name of the domain.
    
    IPA users don't really have userPrincipalName attribute. Instead, we
    always construct their account names in LOGON Info3 structure by
    unparsing the canonical principal name without realm, meaning that user
    principal can be recovered by concatenating the account name and the
    realm (domain).
    
    Unless the account name and unparsed client principal name are different
    or the primary Info3 gid (group RID) is the one for machine accounts,
    mark the UPN as constructed.
    
    Related: https://pagure.io/freeipa/issue/8319
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Isaac Boukris <iboukris@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
file modified
+42 -0
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.