krb5: report_canonical_client_name implies check_pac

This commit is contained in:
Luke Howard
2021-12-22 14:33:01 +11:00
parent 9aa67e58ba
commit 5ba4607277
2 changed files with 12 additions and 0 deletions

View File

@@ -242,6 +242,10 @@ init_context_from_config_file(krb5_context context)
INIT_FLAG(context, flags, KRB5_CTX_F_ENFORCE_OK_AS_DELEGATE, FALSE, "enforce_ok_as_delegate");
INIT_FLAG(context, flags, KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME, FALSE, "report_canonical_client_name");
/* need to verify the PAC if we are going to report the canonical client name */
if (flags & KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME)
flags |= KRB5_CTX_F_CHECK_PAC;
if (context->default_cc_name)
free(context->default_cc_name);
context->default_cc_name = NULL;

View File

@@ -518,9 +518,17 @@ If this flag is true, then all application protocol authentication
requests will be flagged to indicate that the application supports
channel bindings when operating over a secure channel.
The default value is false.
.It Li check_pac = Va boolean
If this flag is true and a Windows Privilege Attribute Certificate (PAC)
is present in the ticket authorization data, then
.Xr krb5_rd_req 3
will validate the PAC before returning success. The default value is true.
.It Li report_canonical_client_name = Va boolean
If this flag is true, then the canonical client name from the PAC will
be used instead of the client name in the ticket. The default value is false.
Note that setting it to true implicitly sets
.Va check_pac
to true.
.El
.It Li [domain_realm]
This is a list of mappings from DNS domain to Kerberos realm.