The PAC must be the first ad-element
Isaac Boukris
iboukris at gmail.com
Fri Jan 31 07:46:36 EST 2020
Hi,
When I recently confirmed that windows hosts have no problem with
other ad-elements along side the PAC, I was lazy to test change of
order. Today I tested it and found that Windows servers are not happy
when the PAC is not the first ad-if-relevant element.
The error is somewhat tricky, since the ldap bind succeeds using the
ticket, but subsequent search call fails with (see more details in:
https://pagure.io/freeipa/issue/8185):
"In order to perform this operation a successful bind must be
completed on the connection"
Technically the current KDC code looks alright, although maybe I'll
add a code comment and a test for it. But Alexander pointed out that
previous KDC code in v1.17 is not good as it would place CAMMAC as
first element (fixed in 7196c03f18f14695abeb5ae4923004469b172f0f).
https://github.com/krb5/krb5/blob/master/src/kdc/kdc_authdata.c#L849-L867
https://github.com/krb5/krb5/blob/krb5-1.17/src/kdc/kdc_authdata.c#L869-L885
Isaac
More information about the krbdev
mailing list