1 files changed, 36 insertions, 4 deletions

diff --git a/src/lib/gssapi/generic/gssapi_ext.h b/src/lib/gssapi/generic/gssapi_ext.h
index 7a594fe..0e9178a 100644
--- a/src/lib/gssapi/generic/gssapi_ext.h
+++ b/src/lib/gssapi/generic/gssapi_ext.h
@@ -41,11 +41,43 @@ gss_pname_to_uid
 	 const gss_OID mech_type,
 	 uid_t *uidOut);
 
+/** Determine whether a mechanism name is authorized to act as a username.
+ *
+ * @param [in] name      Mechanism name
+ * @param [in] username  System username
+ *
+ * This is a simple wrapper around gss_authorize_localname().  It only supports
+ * system usernames as local names, and cannot distinguish between lack of
+ * authorization and other errors.
+ *
+ * @retval 1 @a name is authorized to act as @a username
+ * @retval 0 @a name is not authorized or an error occurred
+ */
+int KRB5_CALLCONV
+gss_userok(const gss_name_t name,
+           const char *username);
+
+/** Determine whether a mechanism name is authorized to act as a local name.
+ *
+ * @param [out] minor  Minor status code
+ * @param [in] name    Mechanism name
+ * @param [in] user    Local name
+ *
+ * @a name is a mechanism name, typically the result of a completed
+ * gss_accept_sec_context().  @a user is an internal name representing a local
+ * name, such as a name imported by gss_import_name() with an @a
+ * input_name_type of @c GSS_C_NT_USER_NAME.
+ *
+ * @return Return GSS_S_COMPLETE if @a name is authorized to act as @a user,
+ * GSS_S_UNAUTHORIZED if not, or an appropriate GSS error code if an error
+ * occured.
+ *
+ * @sa gss_userok
+ */
 OM_uint32 KRB5_CALLCONV
-gss_userok(OM_uint32 *minor,
-           const gss_name_t name,
-           const char *user,
-           int *user_ok);
+gss_authorize_localname(OM_uint32 *minor,
+                        const gss_name_t name,
+                        const gss_name_t user);
 
 OM_uint32 KRB5_CALLCONV
 gss_acquire_cred_with_password(