[krbdev.mit.edu #2023] auth_to_localnames drops realm before match
""Nebergall@MIT.EDU
""Nebergall at MIT.EDU
Mon Nov 24 12:48:27 EST 2003
The auth_to_local_names attribute only consults the default realm for
matching, no matter what realm that the user is authenticating from. This
may be alright by itself because that makes it consistent with auth_to_local
call. The problem is that the realm of the user is dropped before the
match. User1 at anyrealm will always be treated the same as User1 at defaultrealm
for the match.
Example from kerb 1.3.1
If I see roger at siteA.com <mailto:roger at siteA.com> or roger at siteB.com
<mailto:roger at siteB.com> they both get mapped into roger1
using the krb5.conf settings below.
default_realm = siteA.com
siteA.com = {
kdc = something
auth_to_local_names = {
roger = roger1
}
siteB.com = {
kdc = something
}
lib/krb5/os/an_to_ln.c
if (!(kret = krb5_get_default_realm(context, &realm))) {
/* Flatten the name */
if (!(kret = krb5_unparse_name(context, aname, &pname))) {
>>> Realm is dropped if ((mname =
aname_full_to_mapping_name(pname))) {
/*
* Search first for explicit mappings of the form:
*
* [realms]->realm->"auth_to_local_names"->mapping_name
*/
hierarchy[0] = "realms";
>>> Only the default realm is used. >>>>>>>> hierarchy[1] =
realm;
hierarchy[2] = "auth_to_local_names";
hierarchy[3] = mname;
hierarchy[4] = (char *) NULL;
if (!(kret = profile_get_values(context->profile,
hierarchy,
&mapping_values))) {
/* We found one or more explicit mappings. */
for (nvalid=0; mapping_values[nvalid]; nvalid++);
/* Just use the last one. */
/* Trim the value. */
-Christopher Nebergall
More information about the krb5-bugs
mailing list