r11314: Use a patch from lha to have the kerberos libs extract the PAC, rather

than doing ASN.1 parsing in Samba.

Also use the API function for getting a client from a ticket, rather
than just digging in the structure.

Andrew Bartlett
(This used to be commit 25d5ea6d724bd2b64a6086ae6e2e1c5148b8ca4a)

1 files changed, 6 insertions, 8 deletions

diff --git a/source4/auth/kerberos/kerberos-notes.txt b/source4/auth/kerberos/kerberos-notes.txt
index a36bf556aa..83fb886c45 100644
--- a/source4/auth/kerberos/kerberos-notes.txt
+++ b/source4/auth/kerberos/kerberos-notes.txt
@@ -309,6 +309,12 @@ Samba makes extensive use of the principal manipulation functions in
 Heimdal, including the known structure behind krb_principal and
 krb5_realm (a char *).
 
+Authz data extraction
+---------------------
+
+We use krb5_ticket_get_authorization_data_type(), and expect it to
+return the correct authz data, even if wrapped in an AD-IFRELEVENT container.
+
 
 KDC Extensions
 --------------
@@ -392,14 +398,6 @@ PAC Correctness
 
 We need to put the PAC into the TGT, not just the service ticket.  
 
-Authz data extraction
----------------------
-
-We need to parse the authz data field correctly, and have a generic
-rouitine to get at particular types of data, no matter their inclusion
-in 'if relevent' or other stuctures.  This should be a utlity function
-we can use in both the client libs and KDC.
-
 Forwarded tickets
 -----------------