Proposed libkrb5 APIs for name attributes

Greg Hudson ghudson at
Wed Jul 31 18:37:06 EDT 2019

Right now a GSS server application can get access to PAC information and
auth indicators using the RFC 6680 APIs (such as
gss_get_name_attribute()) on the src_name returned by

The libkrb5 interfaces used to implement these APIs are private:
krb5_auth_con_get_authdata_context() to get a krb5_authdata_context (a
private type) and then a set of functions like

I understand that Samba needs to access auth indicators in a non-GSS
server application.  Rather than bring the whole set of
krb5_authdata_context interfaces into the public API, I am inclined to
add just one or two new auth context APIs:

    krb5_error_code KRB5_CALLCONV
    krb5_auth_con_get_attribute(krb5_context context,
                                krb5_auth_context auth_context,
                                const krb5_data *attribute,
                                krb5_boolean *authenticated,
                                krb5_boolean *complete, krb5_data *value,
                                krb5_data *display_value, int *more);

and maybe:

    krb5_error_code KRB5_CALLCONV
    krb5_auth_con_get_attribute_types(krb5_context context,
                                      krb5_auth_context auth_context,
                                      krb5_data **attrs);

    void KRB5_CALLCONV
    krb5_free_data_list(krb5_context context, krb5_data *list);

But first I'd like to confirm that these would be sufficient.

More information about the krbdev mailing list