On Thu, 07 Feb 2013, Simo Sorce wrote:
This information is not strictly required but is part of the MS-PAC
specification and I had some time to kill on the plane on my last trip
back.
I tested it briefly with cross-realm trusts and it seem to work fine.
Neither IPA nor AD2012 complained when looking at PACs, do far.
Reviving.
It is actually required part as without it smbd will deny our attempt to
establish local part of the trust in some cases by misinterpreting what
we put in the PAC and thinking that a service impersonating original
user is the actual user but taking original user name as an account
name.
With this patch everything works fine. ACK.
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
