Question about excluding the PAC

Greg Hudson ghudson at
Fri Jan 25 17:56:39 EST 2019

On 1/25/19 4:56 PM, Schwartz, John wrote:
> I see that kinit has the option "--no-request-pac"
> Is there a similar way to do it from the krb5.conf or does it need a custom shared object?

There is no krb5.conf variable, but if you have control of the web
server C code which invokes krb5_get_init_creds_password(), you can do
it via a get_init_creds option.  The relevant functions are:

Note that this option is new in release 1.15.

More information about the krbdev mailing list