Review ofhttp://k5wiki.kerberos.org/wiki/Projects/PAC_and_principal_APIs ending January 10
hartmans at MIT.EDU
Tue Dec 23 15:14:24 EST 2008
>>>>> "Ken" == Ken Raeburn <raeburn at MIT.EDU> writes:
>> krb5_error_code KRB5_CALLCONV krb5_pac_get_buffer (krb5_context
>> context, krb5_pac pac, krb5_ui_4 type, krb5_data *data);
Ken> Does each type permit only one entry?
Ken> Doc issue: Is this a copy the caller needs to free, or a
Ken> reference to data in the krb5_pac object?
>> #define KRB5_PRINCIPAL_UNPARSE_SHORT 1 #define
>> KRB5_PRINCIPAL_UNPARSE_NO_REALM 2 #define
>> KRB5_PRINCIPAL_UNPARSE_DISPLAY 4
Ken> ... which mean what precisely?
>> #define KRB5_PRINCIPAL_PARSE_NO_REALM 1
Ken> Absence of realm is okay? Discard the supplied realm?
>> #define KRB5_PRINCIPAL_PARSE_MUST_REALM 2
Ken> "Realm" not verb. Better name? "Require"?
If this is shipping in Heimdal, I think we should keep it.
Otherwise I'm happy to change.
>> #define KRB5_PRINCIPAL_PARSE_ENTERPRISE 4
Ken> I assume this means "stick the entire string into the first
Ken> component, and give it NT-ENTERPRISE type"?
Ken> Is unquoting of
Ken> \. and \@ and such done?
>> The following flag is defined for krb5_get_credentials:
Ken> You listed two flags here... GC_USER_USER has been around for
Ken> a while, so I assume GC_CANONICALIZE is the new bit.
>> #define KRB5_GC_USER_USER 1 /* want user-user ticket */ #define
>> KRB5_GC_CANONICALIZE 4 /* set canonicalize KDC option */
>> The user_user flag searches the ccache for a credential
>> encrypted in the right TGT.
Ken> I think that's been long-standing behavior, hasn't it? Or is
Ken> this a change?
I thought that was a new flag.
I guess I misread the diff.
More information about the krbdev