On Tue, Nov 22, 2011 at 07:10:54PM -0500, Simo Sorce wrote: > In some cases the KDC will decide to use a different checksum type when > re-signing a PAC to include it in a service ticket. > > This is common in a cross-realm trust with AD as most AD DCs will use a > HMAC-MD5-RC4 checksum while IPA's KDC will instead choose to use > HMAC-SHA-AES when re-signing the PAC. > > In current MIT code re-signing a PAC with a signature that differs in > length from the original will cause an error. > > While MIT should handle this properly, we use the workaround of > regenerating the PAC from scratch so that there is no trace of the > previous signatures. > > Tested while obtaining a cross-realm ticket from an AD domain against a > service belonging to an IPA domain.
I see "authdata (kdb) handling failure: Cannot allocate memory" in krb5kdc.log when trying to log in with putty into the IPA server. Do you already have an idea or shall I start gdb? bye, Sumit > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
