[krbdev.mit.edu #7694] gsskrb5_extract_authz_data_from_sec_context misses AD-IF-RELEVANT containers
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Sun Aug 18 16:04:54 EDT 2013
gsskrb5_extract_authz_data_from_sec_context was added to make it possible
to get the PAC from a sec context, and is currently the only interface
shared between MIT krb5 and Heimdal for that purpose. (The current
preferred method, gss_get_name_attribute with the key "urn:mspac:", is not
yet implemented in Heimdal.)
Unfortunately, gsskrb5_extract_authz_data_from_sec_context does not look
inside AD-IF-RELEVANT containers, and PACs are now shipped in those
containers. So it's mostly useless for the intended purpose. We should
use krb5_find_authdata to find the authorization data element instead.
More information about the krb5-bugs
mailing list