+++ This bug was initially created as a clone of Bug #2182683 +++ We are working on backporting the upstream implementation[1] of PAC extended KDC signature to RHEL9/8 and Fedora Rawhide/38/37. The function that is being used to generate this signature is also meant to generate the PAC ticket signature. This implementation also require the PAC ticket signature to be present in constrained delegation requests for the PAC to be accepted. However, the signature generation function cannot be used by prior to 1.20 versions of krb5 because of API limitations. This is why we are backporting a slightly modified version of the extended PAC signature support. It allows generating the PAC extended KDC signature without the ticket signature, and tolerate the absence of the ticket signature. When the version of krb5 is 1.20 or newer, this is not a problem. However, in case of gradual upgrade environments (including both 1.20+ and 1.19- servers), 1.20 servers will reject a PAC generated by a 1.19- server, because it does not contain any ticket signature. In order to keep supporting constrained delegation in this kind of setup, we are adding support for a "optional_pac_full_chksum" string attribute for KDB entries. It will allow to tolerate the absence of PAC ticket signature for a certain realm. IPA should be able to set this attribute according to the state of the domain: * Set "optional_pac_full_chksum" to "true" if RHEL8 or RHEL9.1- or Fedora 36/37 servers are present * Set "optional_pac_full_chksum" to "false" (or unset) if all servers are RHEL9.2+ or Fedora 38+ [1] https://github.com/krb5/krb5/pull/1284
Upstream pull request: https://github.com/freeipa/freeipa/pull/6785
Fixed upstream master: https://pagure.io/freeipa/c/9cd5f49c74f28dbe070b072b394747a039cef463 https://pagure.io/freeipa/c/3f1b373cb2028416e40a26e3dd99b0f4c82525c7 https://pagure.io/freeipa/c/545a363dd2f7f551fa3ec3fed66c80b30ae3c1e1
Fixed upstream ipa-4-10: https://pagure.io/freeipa/c/630cda5c06428825dd5604493621b9cbdab70073 https://pagure.io/freeipa/c/bbe545ff9feb972e549c743025e4a26b14ef8f89 https://pagure.io/freeipa/c/7ea3b86696f5451f1d227d365018ab7dc53024af
Fixed upstream master: https://pagure.io/freeipa/c/e00f457f755e78d384beb8cc7ac312e9741b56af https://pagure.io/freeipa/c/4ef8258d58046ee905c929c0e889653a8b86d383 https://pagure.io/freeipa/c/03897d8a6899691b7218428b296f6d22ccadcfb2 https://pagure.io/freeipa/c/d551e853fc4e213cf384bc983d0e76d8568ee954 https://pagure.io/freeipa/c/9cdf010ca6c8b03d9f7cc338e8253219e0e877b0 https://pagure.io/freeipa/c/18bf495ce88fbb032f23f7db7f941458ecf55c7a
Fixed upstream ipa-4-10: https://pagure.io/freeipa/c/3d0decd9efc4883328e95f9ff89002aec32462ec https://pagure.io/freeipa/c/803a44777f901217d634f8fd7feed8b66ece352a https://pagure.io/freeipa/c/fefa0248296413b6ee5ad2543d8feb1b31840aee https://pagure.io/freeipa/c/bd8fcd6f5bc62a4bfc544b69c0d960291be05d37 https://pagure.io/freeipa/c/1b55e9b1cb4f192635878b0b7242104d58a37d2b https://pagure.io/freeipa/c/11ce2b2133364916de06f4c42d8a19ce438bd41c
Fixed upstream master: https://pagure.io/freeipa/c/3a706e86200dd3ab9d317fb6f71ba80d3ae2f642
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569
FEDORA-2023-5cd7789569 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-95e3fe4d76 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-95e3fe4d76
FEDORA-2023-95e3fe4d76 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-95e3fe4d76` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-95e3fe4d76 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-95e3fe4d76 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.