[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: init_sec_context.c / profile reading

Chris Chiappa <griffon+heimdal-discuss@snurgle.org> writes:
> This means that unfortunately if you want renewable and proxiable tickets by
> default on a machine you're out of luck - the gssapi code doesn't give you a
> way as far as I can tell to specify this (and in a related vein it doesn't
> seem to me that forwarded tickets should automatically be marked
> forwardable).  Instead it seems like the gssapi code should be able to do
> something like this:
>     krb5_get_init_creds_opt opt;
>     krb5_kdc_flags fwd_flags;
>     krb5_get_init_creds_opt_init(&opt);
>     krb5_get_init_creds_opt_set_default_flags(gssapi_krb5_context,
>                                               "gssapi",
>                                               creds.client->realm,
>                                               &opt);
>     krb5_munge_opts_to_flags(&opt, &fwd_flags);
>     fwd_flags.b.forwarded = 1;

Yes, I think this is better, it's a little ugly having the program
name of `gssapi', but that's probably fine.

> where krb5_munge_opts_to_flags basically does much of what
> init_creds_pw.c:get_init_creds_common currently does.  Comments?  It could
> be that I'm missing something but the current set up seems to require a lot
> of duplicate effort for any code that wants to initialize ticket options
> from krb5.conf.

Yeah, the common code should get extracted.