Proposal: krb5_get_init_creds_opt_set_change_password_prompt

Douglas E. Engert deengert at
Mon Dec 4 18:48:06 EST 2006

Kevin Coffman wrote:

> Branch users/coffman/gic_opt_ext has my propoal for extending the
> get_init_creds_opt structure and making use of it to pass preauth
> options through the to preauth plugins.
> There is currently extra test code in kinit.c which does not belong.
> Hopefully it is obvious.  There is currently *not* a compatibility
> function/macro to match Heimdal's krb5_get_init_creds_opt_set_pkinit()
> function.

Since PAM_KRB5 is a common source routine that needs to call
krb5_get_init_creds_* it would be nice if both MIT and Heimdal
used the same API....

> Comments please.
> On 11/20/06, Jeffrey Altman <jaltman at> wrote:
>>Kevin Coffman wrote:
>>>The attached patch does not really do any real extensions yet, but the
>>>plumbing is here.  I didn't change KFW_kinit() in
>>>src/windows/kfwlogon/kfwcommon.c because I wasn't sure how to handle
>>>this pkrb5_ stuff.  (Jeffrey is this as straight-forward as the rest
>>>of the changes?)
>>Don't worry about windows/cns or windows/kfwlogon.  It can be updated
>>when there is a need to do so.  windows/cns has not been touched in years.
>>>Does this look reasonable?
>>I would not put assert() calls into libraries.  If
>>krb5_gic_opt_is_extended() fails, the calling function should return an
>>error to the caller.  We don't want to cause the application to
>>terminate unexpectedly.
>>Remember to update the Windows export list: src/lib/krb5_32.def
>>Other than that, looks reasonable.
>>Jeffrey Altman
> _______________________________________________
> krbdev mailing list             krbdev at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list