Adding a krb5_get_change_password_message() function?

Stef Walter stefw at
Wed Apr 25 08:44:09 EDT 2012

On 04/25/2012 02:34 PM, Simo Sorce wrote:
> On Wed, 2012-04-25 at 13:43 +0200, Stef Walter wrote:
>> > If it is already utf-8 data, then krb5_get_change_password_message()
>> > would null-terminate it correctly and return it. If it's another
>> > structure that we recognize, krb5_get_change_password_message() could
>> > format a useful message from it.
>> > 
> Maybe you want to get back the structure intact too.

Yes, you can already do that today. The 'result_string' out parameter of
krb5_change_password() is a struct krb5_data and returns this structure
intact as on the wire.

Attached is an example program that plays with this a bit.

Today's clients turn this struct krb5_data into a utf-8 string. Usually
by just assuming krb5_data->data is a string of krb5_data->length bytes.
The reason today's clients don't barf on the AD policy structure
returned is because of the zero bytes which pad the start of the AD
style policy structure, thus null-terminating the string earlier than

Under my proposal, future clients would take this krb5_data that comes
out of krb5_change_password() and pass it into
krb5_get_change_password_message() instead, and use the char * string
returned. They would still be able to use the krb5_data structure directly.

And yes, in theory this feature doesn't have to be implemented in krb5.
The clients could parse this AD specific policy structure themselves.
However doing it in one place (like krb5) seems to make the most sense
(to me at least :)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: frob-krb5-change.c
Type: text/x-csrc
Size: 2737 bytes
Desc: not available
Url :

More information about the krbdev mailing list