Bug 2211390

.MIT Kerberos now supports the Extended KDC MS-PAC signature With this update, MIT Kerberos, which is used by Red Hat, implements support for one of the two types of the Privilege Attribute Certificate (PAC) signatures introduced by Microsoft in response to recent CVEs. Specifically, MIT Kerberos in RHEL 8 supports the Extended KDC signature that was released in link:https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb[KB5020805] and that addresses link:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37967[CVE-2022-37967]. Note that because of link:https://access.redhat.com/articles/rhel8-abi-compatibility[ABI stability constraints], MIT Kerberos on RHEL8 cannot support the other PAC signature type, that is Ticket signature as defined in link:https://support.microsoft.com/en-au/topic/kb4598347-managing-deployment-of-kerberos-s4u-changes-for-cve-2020-17049-569d60b7-3267-e2b0-7d9b-e46d770332ab[KB4598347]. To troubleshoot problems related to this enhancement, see the following Knowledgebase resources: * link:https://access.redhat.com/solutions/7052125[RHEL-8.9 IdM update, web UI and CLI 401 Unauthorized with KDC S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC - user and group objects need SIDs] * link:https://access.redhat.com/solutions/394763[find_sid_for_ldap_entry - [file ipa_sidgen_cofind_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [120000023l] into an unused SID] * link:https://access.redhat.com/solutions/7014959[When upgrading to RHEL9, IDM users are not able to login anymore] * link:https://access.redhat.com/articles/7027037[POSIX IDs, SIDs and IDRanges in IPA] See also link:https://bugzilla.redhat.com/show_bug.cgi?id=2211387[BZ#2211387] and link:https://bugzilla.redhat.com/show_bug.cgi?id=2176406[BZ#2176406].