Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 9): Bug 2182683
We are working on backporting the upstream implementation[1] of PAC extended KDC signature to RHEL9/8 and Fedora Rawhide/38/37. The function that is being used to generate this signature is also meant to generate the PAC ticket signature. This implementation also require the PAC ticket signature to be present in constrained delegation requests for the PAC to be accepted. However, the signature generation function cannot be used by prior to 1.20 versions of krb5 because of API limitations. This is why we are backporting a slightly modified version of the extended PAC signature support. It allows generating the PAC extended KDC signature without the ticket signature, and tolerate the absence of the ticket signature. When the version of krb5 is 1.20 or newer, this is not a problem. However, in case of gradual upgrade environments (including both 1.20+ and 1.19- servers), 1.20 servers will reject a PAC generated by a 1.19- server, because it does not contain any ticket signature. In order to keep supporting constrained delegation in this kind of setup, we are adding support for a "optional_pac_full_chksum" string attribute for KDB entries. It will allow to tolerate the absence of PAC ticket signature for a certain realm. IPA should be able to set this attribute according to the state of the domain: * Set "optional_pac_full_chksum" to "true" if RHEL8 or RHEL9.1- or Fedora 36/37 servers are present * Set "optional_pac_full_chksum" to "false" (or unset) if all servers are RHEL9.2+ or Fedora 38+ [1] https://github.com/krb5/krb5/pull/1284
Metadata Update from @jrische: - Issue assigned to jrische
Metadata Update from @jrische: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2182683
Issue linked to bug 2182683
master:
ipa-4-10:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.