On Tue, Nov 22, 2011 at 07:10:54PM -0500, Simo Sorce wrote:
> In some cases the KDC will decide to use a different checksum type when
> re-signing a PAC to include it in a service ticket.
> This is common in a cross-realm trust with AD as most AD DCs will use a
> HMAC-MD5-RC4 checksum while IPA's KDC will instead choose to use
> HMAC-SHA-AES when re-signing the PAC.
> In current MIT code re-signing a PAC with a signature that differs in
> length from the original will cause an error.
> While MIT should handle this properly, we use the workaround of
> regenerating the PAC from scratch so that there is no trace of the
> previous signatures.
> Tested while obtaining a cross-realm ticket from an AD domain against a
> service belonging to an IPA domain.

I see "authdata (kdb) handling failure: Cannot allocate memory" in
krb5kdc.log when trying to log in with putty into the IPA server. Do you
already have an idea or shall I start gdb?


> Simo.
> -- 
> Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to