Question about excluding the PAC
Greg Hudson
ghudson at mit.edu
Fri Jan 25 17:56:39 EST 2019
On 1/25/19 4:56 PM, Schwartz, John wrote:
> I see that kinit has the option "--no-request-pac"
>
> Is there a similar way to do it from the krb5.conf or does it need a custom shared object?
There is no krb5.conf variable, but if you have control of the web
server C code which invokes krb5_get_init_creds_password(), you can do
it via a get_init_creds option. The relevant functions are:
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_get_init_creds_opt_alloc.html
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.html
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_get_init_creds_opt_free.html
Note that this option is new in release 1.15.
More information about the krbdev
mailing list