freeipa

Clone
Source Code
GIT

adf5ab7 ipa-kdb: Use proper account flags for Kerberos principal in PAC

1 file Authored by abbra 2 years ago, Committed by rcritten 2 years ago,
raw patch tree parent
1 file changed. 15 lines added. 4 lines removed.
daemons/ipa-kdb/ipa_kdb_mspac.c
file modified
+15 -4 
    ipa-kdb: Use proper account flags for Kerberos principal in PAC
    
    As part of CVE-2020-25717 mitigations, Samba expects correct user
    account flags in the PAC. This means for services and host principals we
    should be using ACB_WSTRUST or ACB_SVRTRUST depending on whether they
    run on IPA clients ("workstation" or "domain member") or IPA servers
    ("domain controller").
    
    Fixes: https://pagure.io/freeipa/issue/9031
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
file modified
+15 -4
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.