From 6be9dab66fea81d8de362aef3220b6dcdcb7cffd Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 25 Jan 2010 18:15:46 +0000 Subject: [PATCH] In the DAL comments, document KRB5_KDB_INCLUDE_PAC, and correct the documentation of the S4U flags to indicate that they affect PAC generation. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23667 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/kdb.h | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/src/include/kdb.h b/src/include/kdb.h index 9d8860698..4c94d0adc 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -848,7 +848,8 @@ typedef struct _kdb_vftabl { * The module must allocate each entry field separately, as callers may * free individual fields using db_free. If the principal is not found, * set *nentries to 0 and return success. The meaning of flags are as - * follows: + * follows (some of these may be processed by db_invoke methods such as + * KRB5_KDB_METHOD_SIGN_AUTH_DATA rather than by db_get_principal): * * KRB5_KDB_FLAG_CANONICALIZE: Indicates that a KDC client requested name * canonicalization. The module may return an out-of-realm referral by @@ -857,6 +858,11 @@ typedef struct _kdb_vftabl { * filling in an in-realm principal name in entries->princ other than * the one requested. * + * KRB5_KDB_INCLUDE_PAC: Set by the KDC during an AS request when the + * client requested PAC information during padata, and during most TGS + * requests. Indicates that the module should include PAC information + * when generating authorization data. + * * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY: Set by the KDC when looking up the * client entry in an AS request. Indicates that the module should * return out-of-realm referral information in lieu of cross-realm TGT @@ -865,16 +871,17 @@ typedef struct _kdb_vftabl { * KRB5_KDB_FLAG_MAP_PRINCIPALS: Set by the KDC when looking up the client * entry during TGS requests, except for S4U TGS requests and requests * where the server entry has the KRB5_KDB_NO_AUTH_DATA_REQUIRED - * attribute. Indicates that the module should map cross-realm - * principals if it is capable of doing so. + * attribute. Indicates that the module should map foreign principals + * to local principals if it supports doing so. * * KRB5_KDB_FLAG_PROTOCOL_TRANSITION: Set by the KDC when looking up the - * client entry during an S4U2Self TGS request. No special behavior is - * needed. + * client entry during an S4U2Self TGS request. This affects the PAC + * information which should be included when authorization data is + * generated; see the Microsoft S4U specification for details. * * KRB5_KDB_FLAG_CONSTRAINED_DELEGATION: Set by the KDC when looking up the - * client entry during an S4U2Proxy TGS request. No special behavior - * is needed. + * client entry during an S4U2Proxy TGS request. Also affects PAC + * generation. * * KRB5_KDB_FLAG_CROSS_REALM: Set by the KDC when looking up a client entry * during a TGS request, if the client principal is not part of the -- 2.26.2