Question on PAC and principal APIs project

Sam Hartman hartmans at MIT.EDU
Wed Feb 11 08:24:53 EST 2009

>>>>> "Natalie" == Natalie Li <Natalie.Li at Sun.COM> writes:

    Natalie> Sam Hartman wrote:
    >> Note that there is also a mechanism to extract authorization
    >> data from a GSS-API context.
    Natalie> I'm not too familiar with the MIT codebase.  Could you
    Natalie> please point me to the relevant source code?

    Natalie> Thanks,

gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
                                            const gss_ctx_id_t context_handle,
                                                                                        int ad_type,
                                                                                                                                    gss_buffer_t ad_data);
will pull the authorization data out of a context.
You'd need to pull out  ad-if-relevant 
and then use
krb5_error_code KRB5_CALLCONV
krb5_decode_authdata_container(krb5_context context,
    krb5_authdatatype type,
        const krb5_authdata *container,
            krb5_authdata ***authdata);
to pull appart the container.
You can then pass the PAC into the APIs described in the project.

Yes, that should be made a bit cleaner.  There should be a utility
function to help.  If you have the time and want to propose such a
utility that would be an excellent contribution to the project, although discussing the interface may take a bit of time.
If you just want to get work done, that's OK too:-)

More information about the krbdev mailing list