From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 24 Oct 2018 03:00:24 +0000 (-0400)
Subject: Document aliases for enterprise get_principal
X-Git-Tag: krb5-1.17-beta1~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3d149aed7c19e885b70fa05a251800c0acbff6c4;p=thirdparty%2Fkrb5.git

Document aliases for enterprise get_principal

Enterprise principals are always aliases.  In most contexts when we
see them we pass KRB5_KDB_FLAG_ALIAS_OK to the KDB module's
get_principal method, but for S4U2Self clients we currently do not.
Document that a KDB module may return an alias for enterprise
principals regardless of flags.
---

diff --git a/src/include/kdb.h b/src/include/kdb.h
index cecba31809..9812a35e68 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -1018,9 +1018,10 @@ typedef struct _kdb_vftabl {
      *     requested; also set by the admin interface.  Determines whether the
      *     module should return in-realm aliases.
      *
-     * A module can return in-realm aliases if KRB5_KDB_FLAG_ALIAS_OK is set.
-     * To return an in-realm alias, fill in a different value for
-     * entries->princ than the one requested.
+     * A module can return in-realm aliases if KRB5_KDB_FLAG_ALIAS_OK is set,
+     * or if search_for->type is KRB5_NT_ENTERPRISE_PRINCIPAL.  To return an
+     * in-realm alias, fill in a different value for entries->princ than the
+     * one requested.
      *
      * A module can return out-of-realm referrals if KRB5_KDB_FLAG_CANONICALIZE
      * is set.  For AS request clients (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is