1krb5_pac_verify - Verify a PAC. 2================================= 3 4.. 5 6.. c:function:: krb5_error_code krb5_pac_verify(krb5_context context, const krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock * server, const krb5_keyblock * privsvr) 7 8.. 9 10 11:param: 12 13 **[in]** **context** - Library context 14 15 **[in]** **pac** - PAC handle 16 17 **[in]** **authtime** - Expected timestamp 18 19 **[in]** **principal** - Expected principal name (or NULL) 20 21 **[in]** **server** - Key to validate server checksum (or NULL) 22 23 **[in]** **privsvr** - Key to validate KDC checksum (or NULL) 24 25 26.. 27 28 29:retval: 30 - 0 Success; otherwise - Kerberos error codes 31 32 33.. 34 35 36 37 38 39 40 41This function validates *pac* against the supplied *server* , *privsvr* , *principal* and *authtime* . If *principal* is NULL, the principal and authtime are not verified. If *server* or *privsvr* is NULL, the corresponding checksum is not verified. 42 43 44 45If successful, *pac* is marked as verified. 46 47 48 49 50 51 52 53 54 55 56.. 57 58 59 60 61 62 63.. note:: 64 65 A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified. 66 67 68 69 70