Document aliases for enterprise get_principal

Enterprise principals are always aliases.  In most contexts when we
see them we pass KRB5_KDB_FLAG_ALIAS_OK to the KDB module's
get_principal method, but for S4U2Self clients we currently do not.
Document that a KDB module may return an alias for enterprise
principals regardless of flags.

diff --git a/src/include/kdb.h b/src/include/kdb.h
index cecba3180913bda25a7e5cb661eaf6c61120b368..9812a35e68a1818eab24c104c00d67ba555091e7 100644 (file)
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -1018,9 +1018,10 @@ typedef struct _kdb_vftabl {
      *     requested; also set by the admin interface.  Determines whether the
      *     module should return in-realm aliases.
      *
-     * A module can return in-realm aliases if KRB5_KDB_FLAG_ALIAS_OK is set.
-     * To return an in-realm alias, fill in a different value for
-     * entries->princ than the one requested.
+     * A module can return in-realm aliases if KRB5_KDB_FLAG_ALIAS_OK is set,
+     * or if search_for->type is KRB5_NT_ENTERPRISE_PRINCIPAL.  To return an
+     * in-realm alias, fill in a different value for entries->princ than the
+     * one requested.
      *
      * A module can return out-of-realm referrals if KRB5_KDB_FLAG_CANONICALIZE
      * is set.  For AS request clients (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is