jcmturner
commented
1 year ago Thanks for the contribution!
Closed gokrokvertskhov closed 1 year ago
jcmturner
commented
1 year ago Thanks for the contribution!
This PR add new signature sizes for encryption types (19 and 20) which are common in modern KDC installations. Values are taken from rfc8009 https://datatracker.ietf.org/doc/html/rfc8009#section-7
Tested manually on FreeIPA version 4.9.8 / rocky 9.
Without this change a server will not be able to decode PAC with hmac-sha256-128-aes128 or hmac-sha384-192-aes256 signatures if service.DecodePAC setting is set to true (default). The server will show error message "SPNEGO validation error: defective token detected: PAC service checksum verification failed"
Available workaround is to use setting service.DecodePAC(false)