[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [patch] miscellaneous mechglue stuff

On Mon, 8 May 2006 00:39:39 -0500
Nicolas Williams <Nicolas.Williams@sun.com> wrote:

> On Mon, May 08, 2006 at 10:29:57AM +1000, Luke Howard wrote:
> > 
> > >The best thing would be to advocate gss_krb5_inquire_sec_context_by_oid w/
> > >OIDs for the subkey and PAC [1] w/ support in MIT and stock Heimdal.
> > 
> > For accessing the PAC, we will probably move to store the authorization
> > data inside a gss_name_t() and provide something like gss_inquire_name_by_oid
> > rather than extracting it from the context.
> The API is already specified, albeit in an Internet-Draft -- see the
> IETF KITTEN WG page, see draft-ietf-kitten-gssapi-naming-exts-01.txt.
> Now, you'd still have to specify some extra bits, but not much.

I can't find this document. Is this what you're talking about?


Excuse me for being dull but how exactly would one export the PAC from a
kerberos ticket negotiated via GSSAPI? I hope the plan isn't to somehow
interpret the PAC - it's NDR encoded and doesn't contain names of groups,
only SIDs.