RT/krbdev.mit.edu: Ticket #2023 auth_to_localnames drops realm before match

RT/krbdev.mit.edu: Ticket #2023 auth_to_localnames drops realm before match

Signed in as guest.
[Logout]

[Home]

[Search]

[Configuration]

[Display]

[History]

[Basics]

[Dates]

[People]

[Links]

[Jumbo]

The Basics

Id
2023

Status
new

Worked
0 min

Priority
0/0

Queue
krb5

Keyword Selections

Component
Version_reported
Version_Fixed
Target_Version
Tags

Relationships

Depends on:

Depended on by:

Parents:

Children:

Refers to:

Referred to by:

Dates

Created:	Mon Nov 24 12:48:25 2003
Starts:	Not set
Started:	Not set
Last Contact:	Wed Sep 28 10:16:14 2005
Due:	Not set
Updated:	Wed Sep 28 10:16:14 2005 by guest

People

Owner
Nobody
Requestors
cneberg@sandia.gov
Cc

AdminCc

More about "Nebergall, Christopher"

Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:

2023: auth_to_localnames drops realm before match (new)

History

Display mode: [Brief headers] [Full headers]

Mon Nov 24 12:48:26 2003	cneberg@sandia.gov - Ticket created
From: "Nebergall, Christopher" <cneberg@sandia.gov> To: "'krb5-bugs@mit.edu'" <krb5-bugs@mit.edu> Subject: auth_to_localnames drops realm before match Date: Mon, 24 Nov 2003 10:48:12 -0700 The auth_to_local_names attribute only consults the default realm for matching, no matter what realm that the user is authenticating from. This may be alright by itself because that makes it consistent with auth_to_local call. The problem is that the realm of the user is dropped before the match. User1@anyrealm will always be treated the same as User1@defaultrealm for the match. Example from kerb 1.3.1 If I see roger@siteA.com <mailto:roger@siteA.com> or roger@siteB.com <mailto:roger@siteB.com> they both get mapped into roger1 using the krb5.conf settings below. default_realm = siteA.com siteA.com = { kdc = something auth_to_local_names = { roger = roger1 } siteB.com = { kdc = something } lib/krb5/os/an_to_ln.c if (!(kret = krb5_get_default_realm(context, &realm))) { /* Flatten the name / if (!(kret = krb5_unparse_name(context, aname, &pname))) { >>> Realm is dropped if ((mname = aname_full_to_mapping_name(pname))) { / * Search first for explicit mappings of the form: * * [realms]->realm->"auth_to_local_names"->mapping_name / hierarchy[0] = "realms"; >>> Only the default realm is used. >>>>>>>> hierarchy[1] = realm; hierarchy[2] = "auth_to_local_names"; hierarchy[3] = mname; hierarchy[4] = (char ) NULL; if (!(kret = profile_get_values(context->profile, hierarchy, &mapping_values))) { /* We found one or more explicit mappings. / for (nvalid=0; mapping_values[nvalid]; nvalid++); / Just use the last one. / / Trim the value. */ -Christopher Nebergall		Download (untitled) 1.9k
Mon Mar 21 17:15:20 2005	guest - Correspondence added

The attached patch (against the current 1.4 release) does what i think the original requestor was after and which i'm also keen on doing: it turns auth_to_local_names and auth_to_local into real per-realm configs, specifying auth-to-local conversion based on the aname's realm. In the absence of an auth_to_local config for a given realm (besides the default realm), though, the prior behavior of using the default realm's auth_to_local config is fallen back upon. No such provision is made for auth_to_local_names, however, as that doesn't seem to make much sense to me (and it complicates the patch and raises configuration precedence issues, though somebody with more insight may be able to work those out, in addition to filtering out the bugs that the patch no doubt introduces) --buck		Download (untitled) 791b
		Download an_to_ln.c.diff 4.1k
Wed Sep 28 10:16:08 2005	guest - Correspondence added

fix at least one bug in this patch		Download (untitled) 34b
		Download krb5-1.4.2-realm-specific_an_to_ln.patch 4.3k