Wyllys Ingersoll wrote:
> I am sponsoring the following fast track for Glenn Barry.
>
>
> Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
> This information is Copyright 2009 Sun Microsystems
> 1. Introduction
> 1.1. Project/Component Working Name:
> Kerberos V5 PAC API
> 1.2. Name of Document Author/Supplier:
> Author: Glenn Barry
> 1.3 Date of This Document:
> 28 July, 2009
> 4. Technical Description
> Template Version: @(#)sac_nextcase 1.55 08/11/04 SMI
>
> 1. Introduction
> 1.1. Project/Component Working Name:
> Kerberos V5 PAC API
> 1.2. Name of Document Author/Supplier:
> Author: Glenn Barry
> 1.3 Date of This Document:
> July, 2009
> 4. Technical Description
>
> ABSTRACT
> --------
>
> This case will expose the Kerberos V5 (aka krb5) PAC (Privilege
> Attribute Certificate) API via a resync with MIT Kerberos 1.7. This
> will allow native krb5 applications to decode and access the PAC part
> of the Kerberos ticket used by Windows-based protocols and systems.
>
> This case introduces several new entry points into the libkrb5 and
> libgss libraries and additions to header files krb5.h and
> gssapi_ext.h. Also, man page updates will be provided.
>
> BACKGROUND
> ----------
>
> The OpenSolaris Kerberos functionality is currently based on MIT
> Kerberos V5 1.6.3 and is available to applications via libkrb5(3LIB)
> and libgss(3LIB). The MIT Kerberos team recently released v1.7 which
> contains support for the PAC which is a Microsoft Kerberos extension
> to include authorization data (i.e. global group membership). This
> PAC API facilitates interopability with Windows networking protocols
> such as CIFS (Common Internet File System) which is a protocol for
> remote file access.
>
>
> CONSUMERS
> ---------
>
> - OpenSolaris CIFS
>
> PROPOSAL
> --------
>
> We propose:
>
> - the following additions to libkrb5(3LIB):
>
> struct krb5_pac_data;
> typedef struct krb5_pac_data *krb5_pac;
>
> krb5_error_code KRB5_CALLCONV
> krb5_pac_add_buffer
> (krb5_context context,
> krb5_pac pac,
> krb5_ui_4 type,
> const krb5_data *data);
>
> void KRB5_CALLCONV
> krb5_pac_free
> (krb5_context context,
> krb5_pac pac);
>
> krb5_error_code KRB5_CALLCONV
> krb5_pac_get_buffer
> (krb5_context context,
> krb5_pac pac,
> krb5_ui_4 type,
> krb5_data *data);
>
> krb5_error_code KRB5_CALLCONV
> krb5_pac_get_types
> (krb5_context context,
> krb5_pac pac,
> size_t *len,
> krb5_ui_4 **types);
>
> krb5_error_code KRB5_CALLCONV
> krb5_pac_init
> (krb5_context context,
> krb5_pac *pac);
>
> krb5_error_code KRB5_CALLCONV
> krb5_pac_parse
> (krb5_context context,
> const void *ptr,
> size_t len,
> krb5_pac *pac);
>
> krb5_error_code KRB5_CALLCONV
> krb5_pac_verify
> (krb5_context context,
> const krb5_pac pac,
> krb5_timestamp authtime,
> krb5_const_principal principal,
> const krb5_keyblock *server,
> const krb5_keyblock *privsvr);
>
>
> #define KRB5_AUTHDATA_WIN2K_PAC 128
>
> krb5_error_code KRB5_CALLCONV
> krb5_decode_authdata_container(krb5_context context,
> krb5_authdatatype type,
> const krb5_authdata *container,
> krb5_authdata ***authdata);
> krb5_error_code KRB5_CALLCONV
> krb5_encode_authdata_container(krb5_context context,
> krb5_authdatatype type,
> krb5_authdata * const*authdata,
> krb5_authdata ***container);
>
>
> - the following new GSS-API extensions to libgss(3LIB):
>
> /*
> * GGF (Global Grid Forum) extensions
> */
> typedef struct gss_buffer_set_desc_struct {
> size_t count;
> gss_buffer_desc *elements;
> } gss_buffer_set_desc, *gss_buffer_set_t;
>
> #define GSS_C_NO_BUFFER_SET ((gss_buffer_set_t) 0)
>
> OM_uint32 gss_create_empty_buffer_set
> (OM_uint32 * /*minor_status*/,
> gss_buffer_set_t * /*buffer_set*/);
>
> OM_uint32 gss_add_buffer_set_member
> (OM_uint32 * /*minor_status*/,
> const gss_buffer_t /*member_buffer*/,
> gss_buffer_set_t * /*buffer_set*/);
>
> OM_uint32 gss_release_buffer_set
> (OM_uint32 * /*minor_status*/,
> gss_buffer_set_t * /*buffer_set*/);
>
> OM_uint32 gss_inquire_sec_context_by_oid
> (OM_uint32 * /*minor_status*/,
> const gss_ctx_id_t /*context_handle*/,
> const gss_OID /*desired_object*/,
> gss_buffer_set_t * /*data_set*/);
>
> Desired Object OIds:
> extern const gss_OID GSS_C_INQ_SSPI_SESSION_KEY;
> Returns a buffer set with the first member containing the
> session key for SSPI compatibility. The optional second
> member contains an OID identifying the session key type.
>
>
> DOCUMENTATION
> -------------
>
> - We will provide updates to man pages libkrb5(3LIB) and libgss(3LIB).
>
> - We will not provide detailed documentation of this new API but will
> provide a pointer to it at MIT as it becomes available.
>
>
> NOTES
> -----
>
> - MIT Kerberos PAC project page
> http://k5wiki.kerberos.org/wiki/Projects/PAC_and_principal_APIs
>
> - Windows 2000 PAC Information Internet Draft
> http://ietfreport.isoc.org/idref/draft-brezak-win2k-krb-authz/
>
> INTERFACE STABILITY AND RELEASE BINDINGS
> ----------------------------------------
>
> Interface Stability Release Binding
>
> New API in libkrb5(3LIB) External micro/patch
> New API in libgss(3LIB) External micro/patch
>
External is no longer a valid stability classification. Please choose from:
Volatile, Uncommitted, Committed.
I suspect Uncommitted is what you really want. But that depends on how
much change is happening. Its also hard to justify Uncommitted (IMO)
without having at least *some* documentation for the interfaces.
- Garrett
>
> 6. Resources and Schedule
> 6.4. Steering Committee requested information
> 6.4.1. Consolidation C-team Name:
> ON
> 6.5. ARC review type: FastTrack
>
>
> 6. Resources and Schedule
> 6.4. Steering Committee requested information
> 6.4.1. Consolidation C-team Name:
> ON
> 6.5. ARC review type: FastTrack
> 6.6. ARC Exposure: open
>
>
