Skip Menu |
 

Subject: gsskrb5_extract_authz_data_from_sec_context misses AD-IF-RELEVANT containers
gsskrb5_extract_authz_data_from_sec_context was added to make it possible
to get the PAC from a sec context, and is currently the only interface
shared between MIT krb5 and Heimdal for that purpose. (The current
preferred method, gss_get_name_attribute with the key "urn:mspac:", is not
yet implemented in Heimdal.)

Unfortunately, gsskrb5_extract_authz_data_from_sec_context does not look
inside AD-IF-RELEVANT containers, and PACs are now shipped in those
containers. So it's mostly useless for the intended purpose. We should
use krb5_find_authdata to find the authorization data element instead.