Correct the DAL documentation of

KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE; proxy is the target
service, not the delegating service.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23680 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 9 insertions, 5 deletions

diff --git a/src/include/kdb.h b/src/include/kdb.h
index 187aa4679d..f9caca4162 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -1424,11 +1424,15 @@ typedef struct _kdb_vftabl {
      *
      * KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE: req contains a
      *     kdb_check_allowed_to_delegate_req structure.  Perform a policy check
-     *     on proxy being allowed to act on behalf of client to server.  Return
-     *     0 if policy allows it, or an appropriate error (such as
-     *     KRB5KDC_ERR_POLICY) if not.  If this method is not implemented, all
-     *     S4U2Proxy delegation requests will be rejected.  Do not place any
-     *     data in rep.
+     *     on server being allowed to obtain tickets from client to proxy.
+     *     (Note that proxy is the target of the delegation, not the delegating
+     *     service; the term "proxy" is from the viewpoint of the delegating
+     *     service asking another service to perform some of its work in the
+     *     authentication context of the client.  This terminology comes from
+     *     the Microsoft S4U protocol documentation.)  Return 0 if policy
+     *     allows it, or an appropriate error (such as KRB5KDC_ERR_POLICY) if
+     *     not.  If this method is not implemented, all S4U2Proxy delegation
+     *     requests will be rejected.  Do not place any data in rep.
      */
     krb5_error_code (*db_invoke)(krb5_context context, unsigned int method,
                                  const krb5_data *req, krb5_data *rep);