Question about excluding the PAC

Schwartz, John John.Schwartz at
Fri Jan 25 18:39:32 EST 2019

Thank you Greg.  I have access to the server but do not have access to the direct source code and am using the standard build.  I had been reading that custom plugins can be created and referenced in the krb5.conf but am a little lost on the what libraries (for instance) need to be included in the source code in order for me to use a certain function.

Thank you for your input.

BTW, do you know how I can validate what exact version I am using?


Anthem, Inc.

John Schwartz,  Exec Advisor, Authentication Services
21555 Oxnard St., Woodland Hills, California 91367
O: (818) 234-6763 |
john.schwartz at

-----Original Message-----
From: Greg Hudson [mailto:ghudson at]
Sent: Friday, January 25, 2019 2:57 PM
To: Schwartz, John <John.Schwartz at>; krbdev at
Subject: Re: Question about excluding the PAC

On 1/25/19 4:56 PM, Schwartz, John wrote:
> I see that kinit has the option "--no-request-pac"
> Is there a similar way to do it from the krb5.conf or does it need a custom shared object?

There is no krb5.conf variable, but if you have control of the web server C code which invokes krb5_get_init_creds_password(), you can do it via a get_init_creds option.  The relevant functions are:

Note that this option is new in release 1.15.

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

More information about the krbdev mailing list