ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older
Since krb5 1.20, the PAC is generated by default, and the AD-SIGNEDPATH
authdata is no longer generated. However, on krb5 versions prior to
1.20, the KDC still expects an AD-SIGNEDPATH when verifying a
constrained delegation (S4U2Proxy) TGS-REQ. In IPA's case this
requirement is not needed, because the PAC signatures are already
fulfilling this role.
CentOS and RHEL downstream releases of krb5 will include the
"optional_ad_signedpath" KDB string attribute allowing to disable the
AD-SIGNEDPATH requirement in case the PAC is present.
This commit sets the "optional_ad_signedpath" string attribute to "true"
systematically on the TGS principal if the database abstract layer (DAL)
of krb5 is version 8 or older (prior to krb5 1.20).
Fixes: https://pagure.io/freeipa/issue/9448
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>