[20018] in Kerberos_V5_Development
The PAC must be the first ad-element
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Fri Jan 31 07:46:58 2020
MIME-Version: 1.0
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 31 Jan 2020 13:46:36 +0100
Message-ID: <CAC-fF8SKJFAqoQ3JnE1B_zj6wpiGoyJKupyi6NNb-VL=CBk9HA@mail.gmail.com>
To: krbdev@mit.edu, Alexander Bokovoy <ab@samba.org>,
Andreas Schneider <asn@samba.org>, Greg Hudson <ghudson@mit.edu>,
harwood@redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hi,
When I recently confirmed that windows hosts have no problem with
other ad-elements along side the PAC, I was lazy to test change of
order. Today I tested it and found that Windows servers are not happy
when the PAC is not the first ad-if-relevant element.
The error is somewhat tricky, since the ldap bind succeeds using the
ticket, but subsequent search call fails with (see more details in:
https://pagure.io/freeipa/issue/8185):
"In order to perform this operation a successful bind must be
completed on the connection"
Technically the current KDC code looks alright, although maybe I'll
add a code comment and a test for it. But Alexander pointed out that
previous KDC code in v1.17 is not good as it would place CAMMAC as
first element (fixed in 7196c03f18f14695abeb5ae4923004469b172f0f).
https://github.com/krb5/krb5/blob/master/src/kdc/kdc_authdata.c#L849-L867
https://github.com/krb5/krb5/blob/krb5-1.17/src/kdc/kdc_authdata.c#L869-L885
Isaac
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
