Commit - freeipa - e00f457f755e78d384beb8cc7ac312e9741b56af

freeipa

`e00f457` ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT

1 file Authored by abbra a year ago, Committed by frenaud a year ago,

raw patch tree parent

1 file changed. 33 lines added. 11 lines removed.

    ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT
    
    From https://krbdev.mit.edu/rt/Ticket/Display.html?id=9089
    --------
    The KDC uses the first local TGT key for the privsvr and full PAC
    checksums.  If this key is of an aes-sha2 enctype in a cross-realm
    TGT, a Microsoft KDC in the target realm may reject the ticket because
    it has an unexpectedly large privsvr checksum buffer.  This behavior
    is unnecessarily picky as the target realm KDC cannot and does not
    need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the
    checksum key to three specific enctypes.
    --------
    
    Use MIT Kerberos 1.21+ facility to hint about proper enctype for
    cross-realm TGT.
    
    Fixes: https://pagure.io/freeipa/issue/9124
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Julien Rische <jrische@redhat.com>

daemons/ipa-kdb/ipa_kdb_principals.c

file modified

+33 -11

freeipa

Source Code

e00f457 ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT

1 file Authored by abbra a year ago, Committed by frenaud a year ago,

`e00f457` ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT