freeipa

Clone
Source Code
GIT

d551e85 ipa-kdb: process out of realm server lookup during S4U

1 file Authored by abbra a year ago, Committed by frenaud a year ago,
raw patch tree parent
1 file changed. 54 lines added. 4 lines removed.
daemons/ipa-kdb/ipa_kdb_principals.c
file modified
+54 -4 
    ipa-kdb: process out of realm server lookup during S4U
    
    Kerberos principal aliases lookup had a long-standing TODO item to
    support server referrals for host-based aliases. This commit implements
    server referrals for hosts belonging to trusted domains. The use-case is
    a part of S4U processing in a two-way trust when an IPA service requests
    a ticket to a host in a trusted domain (e.g. service on AD DC). In such
    situation, the server principal in TGS request will be a normal principal
    in our domain and KDC needs to respond with a server referral. This
    referral can be issued by a KDB driver or by the KDC itself, using
    'domain_realms' section of krb5.conf. Since KDB knows all suffixes
    associated with the trusted domains, implement the logic there.
    
    Fixes: https://pagure.io/freeipa/issue/9164
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Julien Rische <jrische@redhat.com>
file modified
+54 -4
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.