diff options
| author | Greg Hudson <ghudson@mit.edu> | 2010-01-25 18:15:46 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2010-01-25 18:15:46 +0000 |
| commit | 6be9dab66fea81d8de362aef3220b6dcdcb7cffd (patch) | |
| tree | f5ed06cc39a25802c5f7c4fdc2bf999aae2c37b9 /src/include/kdb.h | |
| parent | 1a9745b4696f800266a575f0b6676e3ec6953755 (diff) | |
| download | krb5-6be9dab66fea81d8de362aef3220b6dcdcb7cffd.tar.gz krb5-6be9dab66fea81d8de362aef3220b6dcdcb7cffd.tar.xz krb5-6be9dab66fea81d8de362aef3220b6dcdcb7cffd.zip | |
In the DAL comments, document KRB5_KDB_INCLUDE_PAC, and correct the
documentation of the S4U flags to indicate that they affect PAC
generation.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23667 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/include/kdb.h')
| -rw-r--r-- | src/include/kdb.h | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h index 9d88606986..4c94d0adca 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -848,7 +848,8 @@ typedef struct _kdb_vftabl { * The module must allocate each entry field separately, as callers may * free individual fields using db_free. If the principal is not found, * set *nentries to 0 and return success. The meaning of flags are as - * follows: + * follows (some of these may be processed by db_invoke methods such as + * KRB5_KDB_METHOD_SIGN_AUTH_DATA rather than by db_get_principal): * * KRB5_KDB_FLAG_CANONICALIZE: Indicates that a KDC client requested name * canonicalization. The module may return an out-of-realm referral by @@ -857,6 +858,11 @@ typedef struct _kdb_vftabl { * filling in an in-realm principal name in entries->princ other than * the one requested. * + * KRB5_KDB_INCLUDE_PAC: Set by the KDC during an AS request when the + * client requested PAC information during padata, and during most TGS + * requests. Indicates that the module should include PAC information + * when generating authorization data. + * * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY: Set by the KDC when looking up the * client entry in an AS request. Indicates that the module should * return out-of-realm referral information in lieu of cross-realm TGT @@ -865,16 +871,17 @@ typedef struct _kdb_vftabl { * KRB5_KDB_FLAG_MAP_PRINCIPALS: Set by the KDC when looking up the client * entry during TGS requests, except for S4U TGS requests and requests * where the server entry has the KRB5_KDB_NO_AUTH_DATA_REQUIRED - * attribute. Indicates that the module should map cross-realm - * principals if it is capable of doing so. + * attribute. Indicates that the module should map foreign principals + * to local principals if it supports doing so. * * KRB5_KDB_FLAG_PROTOCOL_TRANSITION: Set by the KDC when looking up the - * client entry during an S4U2Self TGS request. No special behavior is - * needed. + * client entry during an S4U2Self TGS request. This affects the PAC + * information which should be included when authorization data is + * generated; see the Microsoft S4U specification for details. * * KRB5_KDB_FLAG_CONSTRAINED_DELEGATION: Set by the KDC when looking up the - * client entry during an S4U2Proxy TGS request. No special behavior - * is needed. + * client entry during an S4U2Proxy TGS request. Also affects PAC + * generation. * * KRB5_KDB_FLAG_CROSS_REALM: Set by the KDC when looking up a client entry * during a TGS request, if the client principal is not part of the |