Question on PAC and principal APIs project

Natalie Li Natalie.Li at Sun.COM
Wed Feb 11 14:51:48 EST 2009

That's very helpful.  Thanks Sam!

Sam Hartman wrote:
>>>>>> "Natalie" == Natalie Li <Natalie.Li at Sun.COM> writes:
>     Natalie> Sam Hartman wrote:
>     >> Note that there is also a mechanism to extract authorization
>     >> data from a GSS-API context.
>     >> 
>     Natalie> I'm not too familiar with the MIT codebase.  Could you
>     Natalie> please point me to the relevant source code?
>     Natalie> Thanks,
> gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
>                                             const gss_ctx_id_t context_handle,
>                                                                                         int ad_type,
>                                                                                                                                     gss_buffer_t ad_data);
> (gssapi_krb5.h)
> will pull the authorization data out of a context.
> You'd need to pull out  ad-if-relevant 
> and then use
> krb5_error_code KRB5_CALLCONV
> krb5_decode_authdata_container(krb5_context context,
>     krb5_authdatatype type,
>         const krb5_authdata *container,
>             krb5_authdata ***authdata);
> to pull appart the container.
> You can then pass the PAC into the APIs described in the project.
> Yes, that should be made a bit cleaner.  There should be a utility
> function to help.  If you have the time and want to propose such a
> utility that would be an excellent contribution to the project, although discussing the interface may take a bit of time.
> If you just want to get work done, that's OK too:-)

More information about the krbdev mailing list