Reading MS PAC data
Greg Hudson
ghudson at MIT.EDU
Sun Aug 18 15:47:36 EDT 2013
On 08/18/2013 03:07 PM, Markus Moeller wrote:
> says ctx->authdata[i]->ad_type is 1 and not 128. Is there a bug in MIT ?
It looks like Heimdal's
gsskrb5_extract_authz_data_from_sec_context will look inside
AD-IF-RELEVANT containers but MIT's will not. We can correct this
divergence for future releases (I'm actually not sure how it came
about), but that probably doesn't solve your problem.
In the mean time, I think using gss_get_name_attribute with urn:mspac:
is your best bet, when linking against MIT krb5 libraries. Samba's
auth/kerberos/gssapi_pac.c has example usage.
More information about the Kerberos
mailing list