To enable PAC generation, the "MS-PAC" value has to be set for "ipaKrbAuthzData" in "cn=ipaConfig,cn=etc,$SUFFIX".
However, the LDIF file is using the "addifnew" instruction, which is skipped in case the attribute already exists. This is not the behaviour we want. "MS-PAC" should be added unconditionally, especially now on RHEL 8 where the PAC is required by the Bronze-Bit attack detection mechanism. Not supporting the PAC breaks the IPA API on this RHEL version.
Metadata Update from @jrische: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-49437
master:
ipa-4-12:
ipa-4-11:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-10:
ipa-4-9:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-49437, https://issues.redhat.com/browse/RHEL-52305, https://issues.redhat.com/browse/RHEL-52306 (was: https://issues.redhat.com/browse/RHEL-49437)
Log in to comment on this ticket.