On Чцв, 07 вер 2023, Sam Morris via FreeIPA-users wrote:
On 07/09/2023 13:35, Alexander Bokovoy via FreeIPA-users wrote:
On Чцв, 07 вер 2023, Sam Morris wrote:
On Wed, Sep 06, 2023 at 02:50:32PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
It would help to see logs (krb5kdc.log) from RHEL8 servers for this communication, both on ipa5/ipa6 and back to xoanon.
I've created a script to test this automatically.
Thank you!
I filed https://pagure.io/freeipa/issue/9448 to track this issue. I'll be on vacation next week and Julien (krb5 maintainer) is on vacation too, so we'll look at it after we are both back to work.
You're welcome, enjoy your vacation!
I want to close down a loop here. We ended up implementing a dynamic Kerberos PAC ticket signature enforcement mechanism to address cross-version interoperability issue.
https://access.redhat.com/articles/7046409 documents fixes to this issue, thanks to Julien (krb5 maintainer). If you don't have free RHEL developer subscription, then one can be subscribed to at https://developers.redhat.com/about.