diff options
| author | Greg Hudson <ghudson@mit.edu> | 2018-10-23 23:00:24 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2018-10-25 11:20:45 -0400 |
| commit | 3d149aed7c19e885b70fa05a251800c0acbff6c4 (patch) | |
| tree | 4a2dfa4cf9f5b8d0a52911804fbc0a0c546ee85d | |
| parent | 6edfd8ed8a85d89613ef9365467142480b41751a (diff) | |
| download | krb5-3d149aed7c19e885b70fa05a251800c0acbff6c4.zip krb5-3d149aed7c19e885b70fa05a251800c0acbff6c4.tar.gz krb5-3d149aed7c19e885b70fa05a251800c0acbff6c4.tar.bz2 | |
Document aliases for enterprise get_principal
Enterprise principals are always aliases. In most contexts when we
see them we pass KRB5_KDB_FLAG_ALIAS_OK to the KDB module's
get_principal method, but for S4U2Self clients we currently do not.
Document that a KDB module may return an alias for enterprise
principals regardless of flags.
| -rw-r--r-- | src/include/kdb.h | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h index cecba31..9812a35 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -1018,9 +1018,10 @@ typedef struct _kdb_vftabl { * requested; also set by the admin interface. Determines whether the * module should return in-realm aliases. * - * A module can return in-realm aliases if KRB5_KDB_FLAG_ALIAS_OK is set. - * To return an in-realm alias, fill in a different value for - * entries->princ than the one requested. + * A module can return in-realm aliases if KRB5_KDB_FLAG_ALIAS_OK is set, + * or if search_for->type is KRB5_NT_ENTERPRISE_PRINCIPAL. To return an + * in-realm alias, fill in a different value for entries->princ than the + * one requested. * * A module can return out-of-realm referrals if KRB5_KDB_FLAG_CANONICALIZE * is set. For AS request clients (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is |