ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older [rhel-8.10] (!51) · Merge requests · Red Hat / centos-stream / rpms / ipa

Julien Rische requested to merge jrisc/centos_rpms_ipa:rhel_8.10_adsignedpath into stream-idm-DL1-rhel-8.10.0 Oct 09, 2023

Since krb5 1.20, the PAC is generated by default, and the AD-SIGNEDPATH authdata is no longer generated. However, on krb5 versions prior to 1.20, the KDC still expects an AD-SIGNEDPATH when verifying a constrained delegation (S4U2Proxy) TGS-REQ. In IPA's case this requirement is not needed, because the PAC signatures are already fulfilling this role.

CentOS and RHEL downstream releases of krb5 will include the "optional_ad_signedpath" KDB string attribute allowing to disable the AD-SIGNEDPATH requirement in case the PAC is present.

This commit sets the "optional_ad_signedpath" string attribute to "true" systematically on the TGS principal if the database abstract layer (DAL) of krb5 is version 8 or older (prior to krb5 1.20).

Fixes: RHEL-10495

ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older [rhel-8.10]

Merge request reports