krb5: report_canonical_client_name implies check_pac
This commit is contained in:
@@ -242,6 +242,10 @@ init_context_from_config_file(krb5_context context)
|
||||
INIT_FLAG(context, flags, KRB5_CTX_F_ENFORCE_OK_AS_DELEGATE, FALSE, "enforce_ok_as_delegate");
|
||||
INIT_FLAG(context, flags, KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME, FALSE, "report_canonical_client_name");
|
||||
|
||||
/* need to verify the PAC if we are going to report the canonical client name */
|
||||
if (flags & KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME)
|
||||
flags |= KRB5_CTX_F_CHECK_PAC;
|
||||
|
||||
if (context->default_cc_name)
|
||||
free(context->default_cc_name);
|
||||
context->default_cc_name = NULL;
|
||||
|
@@ -518,9 +518,17 @@ If this flag is true, then all application protocol authentication
|
||||
requests will be flagged to indicate that the application supports
|
||||
channel bindings when operating over a secure channel.
|
||||
The default value is false.
|
||||
.It Li check_pac = Va boolean
|
||||
If this flag is true and a Windows Privilege Attribute Certificate (PAC)
|
||||
is present in the ticket authorization data, then
|
||||
.Xr krb5_rd_req 3
|
||||
will validate the PAC before returning success. The default value is true.
|
||||
.It Li report_canonical_client_name = Va boolean
|
||||
If this flag is true, then the canonical client name from the PAC will
|
||||
be used instead of the client name in the ticket. The default value is false.
|
||||
Note that setting it to true implicitly sets
|
||||
.Va check_pac
|
||||
to true.
|
||||
.El
|
||||
.It Li [domain_realm]
|
||||
This is a list of mappings from DNS domain to Kerberos realm.
|
||||
|
Reference in New Issue
Block a user