Windows 2012 slightly changed what it sends in the MS-PAC, and it sends a special SID in the ExtraSids buffer.
Our validation currently consideres anything bu 0 extra sids a validation error. However upon consultation with MS Documentation Engineers at the AD IO Lab and upon further reading of the docs, we shouldn't have considered this a validation error, but should simply have done filtering at most.
The validation rules needs to be relaxed otherwise we always fail to release a ticket to any TG request from users coming from a trust relationship with a Windows 2012 domain controller.
We need fail if our own SIDs are in ExtraSids. I'll take it over.
master: 32916d4
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=910453 (Red Hat Enterprise Linux 7)
Merge KDC LDAP components to one.
Metadata Update from @simo: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 3.1 Stabilization
Log in to comment on this ticket.