svn rev #23667: trunk/src/include/

ghudson@MIT.EDU ghudson at MIT.EDU
Mon Jan 25 13:15:46 EST 2010 

http://src.mit.edu/fisheye/changelog/krb5/?cs=23667
Commit By: ghudson
Log Message:
In the DAL comments, document KRB5_KDB_INCLUDE_PAC, and correct the
documentation of the S4U flags to indicate that they affect PAC
generation.



Changed Files:
U   trunk/src/include/kdb.h
Modified: trunk/src/include/kdb.h
===================================================================
--- trunk/src/include/kdb.h	2010-01-25 04:12:21 UTC (rev 23666)
+++ trunk/src/include/kdb.h	2010-01-25 18:15:46 UTC (rev 23667)
@@ -848,7 +848,8 @@
      * The module must allocate each entry field separately, as callers may
      * free individual fields using db_free.  If the principal is not found,
      * set *nentries to 0 and return success.  The meaning of flags are as
-     * follows:
+     * follows (some of these may be processed by db_invoke methods such as
+     * KRB5_KDB_METHOD_SIGN_AUTH_DATA rather than by db_get_principal):
      *
      * KRB5_KDB_FLAG_CANONICALIZE: Indicates that a KDC client requested name
      *     canonicalization.  The module may return an out-of-realm referral by
@@ -857,6 +858,11 @@
      *     filling in an in-realm principal name in entries->princ other than
      *     the one requested.
      *
+     * KRB5_KDB_INCLUDE_PAC: Set by the KDC during an AS request when the
+     *     client requested PAC information during padata, and during most TGS
+     *     requests.  Indicates that the module should include PAC information
+     *     when generating authorization data.
+     *
      * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY: Set by the KDC when looking up the
      *     client entry in an AS request.  Indicates that the module should
      *     return out-of-realm referral information in lieu of cross-realm TGT
@@ -865,16 +871,17 @@
      * KRB5_KDB_FLAG_MAP_PRINCIPALS: Set by the KDC when looking up the client
      *     entry during TGS requests, except for S4U TGS requests and requests
      *     where the server entry has the KRB5_KDB_NO_AUTH_DATA_REQUIRED
-     *     attribute.  Indicates that the module should map cross-realm
-     *     principals if it is capable of doing so.
+     *     attribute.  Indicates that the module should map foreign principals
+     *     to local principals if it supports doing so.
      *
      * KRB5_KDB_FLAG_PROTOCOL_TRANSITION: Set by the KDC when looking up the
-     *     client entry during an S4U2Self TGS request.  No special behavior is
-     *     needed.
+     *     client entry during an S4U2Self TGS request.  This affects the PAC
+     *     information which should be included when authorization data is
+     *     generated; see the Microsoft S4U specification for details.
      *
      * KRB5_KDB_FLAG_CONSTRAINED_DELEGATION: Set by the KDC when looking up the
-     *     client entry during an S4U2Proxy TGS request.  No special behavior
-     *     is needed.
+     *     client entry during an S4U2Proxy TGS request.  Also affects PAC
+     *     generation.
      *
      * KRB5_KDB_FLAG_CROSS_REALM: Set by the KDC when looking up a client entry
      *     during a TGS request, if the client principal is not part of the

More information about the cvs-krb5 mailing list