Proper way to do logging (KDC) from preauth plugin?

[Jeff Blaine]

> I think that configuration of which pa types should be required for a
> given user don't belong in a PA_REQUIRED flag.

Reflecting more on it, FWIW, I completely agree.  That thought was
really just a desperate attempt to find some immediate way
to make any sort of progress in my project, intentionally
ignoring any long-term relevance or correctness.  I may
even continue down that path for the sake of getting
*anything* working the way I need it to in our exploratory
code.  (ugh)

> I think if you're looking for a facility to decide whether a particular
> request should be honored that always runs against the request, then you
> would need a new facility.  I think designing such a facility will be a
> bit tricky.  Using that type of facility for environment-specific
> restrictions seems fine.  For example: in our environment, we never want
> to let certain users log in outside of working hours.
>
> However, using such a facility to limit access to specific services
> seems highly problematic from a secure interoperability standpoint.  RFC
> 4120 requires services to handle authorization.  If some KDCs in some
> environment will handle some of the authorization, but other KDCs in
> other environments do not, then it seems very easy to get a class of
> services that are not interoperable with a general purpose KDC or that
> are not secure when used with such a KDC.  I'm strongly against that.

 From my part of the conversation, none of this is intended to be
used for authorization.  The goal is to require a specific
pre-authentication succeeds before considering the granting of
a TGT (for any intended purpose).