Password sync plugin, and questions about plugin criticality

[Luke Howard]

>Hmmm, I'm not sure you can generalize them all.  A GSS-API mechglue, for
>example, is not at all like SLAPI or PAM in that the mechglue has to
>keep significant state and "route" calls to mechanisms.

Yeah, I wasn't thinking too much about GSS-API given we already have
something that works. I was thinking more about the KDC.

>A pre-auth plug-in framework should be a pretty dumb thing.  As should

It depends what the pre-auth data actually does, for example
the S4U2Self PA type changes the handling of a TGS-REQ quite
significantly.

-- Luke

--