Review ofhttp://k5wiki.kerberos.org/wiki/Projects/PAC_and_principal_APIs ending January 10
raeburn at MIT.EDU
Tue Dec 23 14:58:39 EST 2008
> krb5_error_code KRB5_CALLCONV krb5_pac_get_buffer (krb5_context
> context, krb5_pac pac, krb5_ui_4 type, krb5_data *data);
Does each type permit only one entry?
Doc issue: Is this a copy the caller needs to free, or a reference to
data in the krb5_pac object?
> #define KRB5_PRINCIPAL_UNPARSE_SHORT 1
> #define KRB5_PRINCIPAL_UNPARSE_NO_REALM 2
> #define KRB5_PRINCIPAL_UNPARSE_DISPLAY 4
... which mean what precisely?
> #define KRB5_PRINCIPAL_PARSE_NO_REALM 1
Absence of realm is okay? Discard the supplied realm?
> #define KRB5_PRINCIPAL_PARSE_MUST_REALM 2
"Realm" not verb. Better name? "Require"?
> #define KRB5_PRINCIPAL_PARSE_ENTERPRISE 4
I assume this means "stick the entire string into the first component,
and give it NT-ENTERPRISE type"? Is unquoting of \. and \@ and such
> The following flag is defined for krb5_get_credentials:
You listed two flags here... GC_USER_USER has been around for a while,
so I assume GC_CANONICALIZE is the new bit.
> #define KRB5_GC_USER_USER 1 /* want user-user ticket */
> #define KRB5_GC_CANONICALIZE 4 /* set canonicalize KDC option */
> The user_user flag searches the ccache for a credential encrypted in
> the right TGT.
I think that's been long-standing behavior, hasn't it? Or is this a
(supposedly on vacation...)
More information about the krbdev