cf97590 Add PAC to master host TGTs

1 file Authored by sbose 10 years ago, Committed by abbra 10 years ago,
    Add PAC to master host TGTs
    
    For a proper SASL bind with GSSAPI against an AD LDAP server a PAC is
    needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
    of a trusted domain with the credentials of a FreeIPA server host a
    PAC must be added to the TGT for the host.
    
    We use the well know RID of the Domain Computers group (515) for the
    primary gid element of the PAC, this is the same as AD uses for host
    tickets.  The rid element of the PAC is set to the well know RID of the
    Domain Controllers group (516). This is working for the SSSD use case
    but might be improved later for more general use cases.
    
    To determine if a host is a FreeIPA server or not it is checked if there
    is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
    this requires an additional LDAP lookup. But since TGS-REQs for hosts
    should be rare I think it is acceptable for the time being.
    
    Fixes https://fedorahosted.org/freeipa/ticket/3651
    
        
file modified
+115 -39