Kerberos Feature Request

Brian Davidson bdavids1 at
Wed Feb 11 14:54:21 EST 2004

On Wednesday, February 11, 2004, at 01:39 PM, Sam Hartman wrote:
> Folks, this discussion has drifted far enough away from reality that
> it is no longer appropriate for krbdev.  Even if it drifts back to
> reality it's all been fairly well hashed out before.
> 1) You cannot add authorization data in an AS request, only a TGS
>     request.

> If someone wants to propose a plugin API or more interestingly to
> implement it, discussing that here on krbdev would be fine.

How about loadable Authorization modules, which register callback 
functions.  During the construction of a Service Ticket reply, a 
registered callback function would be called (along with the principal 
name and the name of the service.  If the PAC (DCE or Microsoft) is the 
only place authorization information might be stored, then return a 
pointer to a PAC.  Even better, pass a pointer to a PAC structure as an 
argument and return a boolean.  If false is returned, then don't supply 
a Service Ticket to the user.

The authorization module would be free to construct a PAC, given 
knowledge of the principal and the service name.

I'm sure I've overlooked lots of little details, but wouldn't this 
approach work?  I can see a Samba and/or OpenLDAP group writing 
authorization modules, so that the 'holy grail' of Kerberos + LDAP + 
Samba == replace Active Directory can be achieved.

There also could be applications outside of just replacing AD servers.  
If you don't receive a service ticket to begin with, you're denied 
access to a service.  That's a great start for centralized 

Brian Davidson
George Mason University

More information about the krbdev mailing list