On Tue, Nov 22, 2011 at 07:10:54PM -0500, Simo Sorce wrote:
> In some cases the KDC will decide to use a different checksum type when
> re-signing a PAC to include it in a service ticket.
> 
> This is common in a cross-realm trust with AD as most AD DCs will use a
> HMAC-MD5-RC4 checksum while IPA's KDC will instead choose to use
> HMAC-SHA-AES when re-signing the PAC.
> 
> In current MIT code re-signing a PAC with a signature that differs in
> length from the original will cause an error.
> 
> While MIT should handle this properly, we use the workaround of
> regenerating the PAC from scratch so that there is no trace of the
> previous signatures.
> 
> Tested while obtaining a cross-realm ticket from an AD domain against a
> service belonging to an IPA domain.

I see "authdata (kdb) handling failure: Cannot allocate memory" in
krb5kdc.log when trying to log in with putty into the IPA server. Do you
already have an idea or shall I start gdb?

bye,
Sumit

> 
> Simo.
> 
> -- 
> Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to