[email protected] wrote: > Hi Luke > > On Feb 24, 9:36 pm, Luke Howard <[email protected]> wrote: >>> I don't recall offhand if there's been an IETF draft proposing the >>> specific extension we've got for extracting the session key. > >> major = gss_inquire_sec_context_by_oid(&minor, >> ctx, >> GSS_C_INQ_SSPI_SESSION_KEY, >> &skey); > > Cool, we (Java SE Team at Sun) are also preparing to add a new method > getSessionKey() to OpenJDK's JGSS-API for Java EE needs. > > BTW, I read the krb5-1.7 codes and notice you're supporting some other > OIDs for this new function: > > KRB5_GET_TKT_FLAGS > KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT
Please add at least the above, as it would let the caller get the Microsoft PAC from the Kerberos ticket if the KDC was Microsoft AD. The PAC Contains user and group SSIDs and other info from AD. Original W2000: http://msdn.microsoft.com/en-us/library/aa302203.aspx More upto ddate info: http://technet.microsoft.com/en-us/library/cc733967.aspx http://msdn.microsoft.com/en-us/library/cc237917(PROT.10).aspx Google for site:microsoft.com ms-pac Would be useful in a Samba environment which can also add a PAC. > KRB5_EXPORT_LUCID_SEC_CONTEXT > KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT > > I wonder how widely they are required and whether we should also > support them. Can you give me some background info? > > Thanks > Weijun > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
