Issue #8310: Refactor ipadb_sign_authdata() to better support S4U2Self and krb5 1.18+ - freeipa

freeipa

#8310 Refactor ipadb_sign_authdata() to better support S4U2Self and krb5 1.18+

Closed: fixed 11 months ago by abbra. Opened 3 years ago by abbra.

S4U2Self operation needs better support in IPA KDB driver. In particular, cross-realm S4U2Self does not produce PAC in the resulting ticket which makes it useless for group membership checks.

In addition, with MIT Kerberos 1.18, the API for sign_authdata() was extended to allow the callback to provide information about authentication indicators in PAC or generate them based on the PAC content.

This ticket should be used to track refactoring of ipadb_sign_authdata() code.

Metadata Update from @abbra:
- Issue assigned to abbra

2 years ago

abbra commented 2 years ago

Depends on refactoring in https://pagure.io/freeipa/issue/9083

Metadata Update from @abbra:
- Issue set to the milestone: Global Catalog and IPA-IPA trust

2 years ago

abbra commented 11 months ago

Closing as this work was done as part of RBCD support.

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

11 months ago

Metadata

Assignee

abbra

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

Global Catalog and IPA-IPA trust

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#8310 Refactor ipadb_sign_authdata() to better support S4U2Self and krb5 1.18+ Closed: fixed 11 months ago by abbra. Opened 3 years ago by abbra.

Metadata

#8310 Refactor ipadb_sign_authdata() to better support S4U2Self and krb5 1.18+

Closed: fixed 11 months ago by abbra. Opened 3 years ago by abbra.