krb5 data abstract layer (DAL) versions prior to 9 (krb5 1.20) are requiring constrained delegation requests have an AD-SIGNEDPATH. However, there is no more support for this field since DAL 9, since it's supported to be replaced by the PAC signatures.

As a consequence, it is not possible to use a service ticket from a RHEL8 KDC (krb5 1.18) as an evidence ticket for an S4U2Proxy request to a RHEL9 KDC (krb5 1.20+). This is basically breaking constrained delegation in a gradual upgrade environment.

In IPA's case, the requirement for AD-SIGNEDPATH is not justified from the security perspective. The KDB plugin of IPA 4.9 (RHEL8) already supports PAC signatures, hence the PAC is already protected. The presence of the AD-SIGNEDPATH should not be required in case the KDB plugin already requires PAC signatures to be verified for such requests.