The logon_domain in the PAC should be validated against the realm of the principal that owns the PAC. Otherwise technically one trust domain could try to attack another by giving us a same named user and injecting a domain name of a different trusted domain.
Comitted: c58836f
Rename component.
Metadata Update from @sbose: - Issue assigned to simo - Issue set to the milestone: FreeIPA 3.0 Beta 2
Login to comment on this ticket.