MIT Kerberos Documentation

krb5_pac_sign_ext - Sign a PAC, possibly with a specified realm.

krb5_error_code krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock * server_key, const krb5_keyblock * privsvr_key, krb5_boolean with_realm, krb5_data * data)
param:

[in] context - Library context

[in] pac - PAC handle

[in] authtime - Expected timestamp

[in] principal - Principal name (or NULL)

[in] server_key - Key for server checksum

[in] privsvr_key - Key for KDC checksum

[in] with_realm - If true, include the realm of principal

[out] data - Signed PAC encoding

This function is similar to krb5_pac_sign() , but adds a parameter with_realm . If with_realm is true, the PAC_CLIENT_INFO field of the signed PAC will include the realm of principal as well as the name. This flag is necessary to generate PACs for cross-realm S4U2Self referrals.

Note

New in 1.17