Re: GSSAPI plugin and kerberos auth-to-local rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Carson Gaspar wrote:
Henry B. Hotz wrote:

On Oct 7, 2009, at 4:40 PM, Carson Gaspar wrote:

What worries me is that the native realm _is_ stripped. It shouldn't
be. I'm not
sure why gssapi_server_mech_step() does so.

Because most programs are only set up to handle simple usernames.

I thought it was only the Solaris implementation that did that (and only
if the realm == the default realm in [libdefaults]).  I gather you're
seeing that elsewhere?

RTFS ;-)

It's potentially done on all platforms. And it's done IFF:

gss_import_name(x, "foo", defined(GSS_C_NT_USER_NAME) ? GSS_C_NT_USER_NAME :
GSS_C_NULL_OID,&result)
if ("foo@xxxxxxx" == result) { user = "foo" }

If you're using MIT krb5's libgssapi, yes that relates to the default realm.
Other GSSAPI implementations likely behave differently.

This has always been the case in Cyrus SASL - if the realm name matches the server's default realm, it is omitted. (CVS shows this behavior goes back to version 1.1 in November '98.)

Even more confusing is that they don't bother to put the realm name into the user_realm SASL parameter when they decide not to omit it. I've never gotten a satisfactory answer about why. This is in stark contrast to the DIGEST-MD5 mechanism...

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux