Review ofhttp://k5wiki.kerberos.org/wiki/Projects/PAC_and_principal_APIs ending January 10

[Sam Hartman]

>>>>> "Ken" == Ken Raeburn <raeburn at MIT.EDU> writes:

    >> krb5_error_code KRB5_CALLCONV krb5_pac_get_buffer (krb5_context
    >> context, krb5_pac pac, krb5_ui_4 type, krb5_data *data);

    Ken> Does each type permit only one entry?

Yes.

    Ken> Doc issue: Is this a copy the caller needs to free, or a
    Ken> reference to data in the krb5_pac object?
Will address.

    >> #define KRB5_PRINCIPAL_UNPARSE_SHORT 1 #define
    >> KRB5_PRINCIPAL_UNPARSE_NO_REALM 2 #define
    >> KRB5_PRINCIPAL_UNPARSE_DISPLAY 4

    Ken> ... which mean what precisely?
Luke?

    >> #define KRB5_PRINCIPAL_PARSE_NO_REALM 1

    Ken> Absence of realm is okay?  Discard the supplied realm?
Luke?

    >> #define KRB5_PRINCIPAL_PARSE_MUST_REALM 2

    Ken> "Realm" not verb.  Better name?  "Require"?

If this is shipping in Heimdal, I think we should keep it.
Otherwise I'm happy to change.

    >> #define KRB5_PRINCIPAL_PARSE_ENTERPRISE 4

    Ken> I assume this means "stick the entire string into the first

    Ken> component, and give it NT-ENTERPRISE type"?  
Yes.

    Ken> Is unquoting of
    Ken> \. and \@ and such done?

Unsure.

    >> The following flag is defined for krb5_get_credentials:

    Ken> You listed two flags here... GC_USER_USER has been around for
    Ken> a while, so I assume GC_CANONICALIZE is the new bit.
    >> #define KRB5_GC_USER_USER 1 /* want user-user ticket */ #define
    >> KRB5_GC_CANONICALIZE 4 /* set canonicalize KDC option */

    >> The user_user flag searches the ccache for a credential
    >> encrypted in the right TGT.

    Ken> I think that's been long-standing behavior, hasn't it?  Or is
    Ken> this a change?

I thought that was a new flag.
I guess I misread the diff.