Re: MS kerb drafts

[Luke Howard <lukeh@PADL.COM>]

>> and support for the KRB5_NT_ENTERPRISE_PRINCIPAL name type to
>> Heimdal. If you are please get in touch so we can coordinate
>> efforts.
>
>I haven't been looking at this at all.  Could you point me at the
>relevant documents where this is defined?

doc/standardisation/draft-ietf-krb-wg-kerberos-referrals-00.txt

I'm working a new backend that will use LDAP and the Active
Directory schema. I think all the backend will need to do is
handle the different name types (which, in the case of Active
Directory, may be done by searching for the userPrincipalName
attribute) and canonicalize the principal name if it is different
to the enterprise name. The KDC will need to check whether the
principal in the returned hdb_entry is different to the one it
tried to fetch and, if so, return an error with the new principal.

On a related note, I want to add support for the backend returning
authorization data. I haven't looked into this much yet, but is
it naive to import and add AuthorizationData to hdb_entry so that
the backend can cook up a PAC? I haven't looked into how I would
need to modify the KDC to return this to the client, it does look
pretty hairy.


-- Luke

--
Luke Howard | lukehoward.com
PADL Software | www.padl.com