The PAC must be the first ad-element
Isaac Boukris
iboukris at gmail.com
Mon Feb 3 04:32:20 EST 2020
On Sat, Feb 1, 2020 at 2:05 AM Isaac Boukris <iboukris at gmail.com> wrote:
>
> Interestingly, in the trust case if the PAC is the first element the
> trusted windows KDC would remove the other element and leave only the
> PAC (if the other element was first, then it is not removed but it
> breaks service access).
This makes me think we may need a way to suppress some ad-types from
the request, which I think is not possible with the current API. If
so, maybe we could add an out a param to sign_authdata() with a list
of ad-types to filter out.
In contrast, perhaps we can reduce the number of passed arguments by
mandating the use of krb5_db_get_authdata_info(), and not passing
header_server and header_key.
More information about the krbdev
mailing list