--- krb5-1.4.2/src/lib/krb5/os/an_to_ln.c.realm-specific_an_to_ln 2004-07-02 17:32:17.000000000 -0400 +++ krb5-1.4.2/src/lib/krb5/os/an_to_ln.c 2005-09-28 09:34:42.042924673 -0400 @@ -614,8 +614,7 @@ #endif /* AN_TO_LN_RULES */ /* - * Implementation: This version checks the realm to see if it is the local - * realm; if so, and there is exactly one non-realm component to the name, + * Implementation: If there is exactly one non-realm component to the name, * that name is returned as the lname. */ static krb5_error_code @@ -630,11 +629,6 @@ if ((retval = krb5_get_default_realm(context, &def_realm))) { return(retval); } - if (((size_t) realm_length != strlen(def_realm)) || - (memcmp(def_realm, krb5_princ_realm(context, aname)->data, realm_length))) { - free(def_realm); - return KRB5_LNAME_NOTRANS; - } if (krb5_princ_size(context, aname) != 1) { if (krb5_princ_size(context, aname) == 2 ) { @@ -687,6 +681,9 @@ char *cp, *s; char *typep, *argp; unsigned int lnsize; + const krb5_data *conven_prealm; + krb5_boolean defaulting_to_default_realm; + if (lnsize_in < 0) return KRB5_CONFIG_NOTENUFSPACE; @@ -694,9 +691,15 @@ lnsize = lnsize_in; /* Unsigned */ /* - * First get the default realm. + * First get the *incoming* principal's realm */ - if (!(kret = krb5_get_default_realm(context, &realm))) { + conven_prealm = krb5_princ_realm(context, aname); + realm = malloc(conven_prealm->length + 1); + kret = ENOMEM; + + if (realm) { + strncpy(realm, conven_prealm->data, conven_prealm->length); + realm[conven_prealm->length] = '\0'; /* Flatten the name */ if (!(kret = krb5_unparse_name(context, aname, &pname))) { if ((mname = aname_full_to_mapping_name(pname))) { @@ -743,6 +746,9 @@ * * [realms]->realm->"auth_to_local" * + * Check first for the realm of the incoming princ. + * In the absence of any config for it, try the default realm. + * * This can have one or more of the following kinds of * values: * DB: - Look up principal in aname database. @@ -750,13 +756,26 @@ * DEFAULT - Use default rule. * The first rule to find a match is used. */ + defaulting_to_default_realm = FALSE; hierarchy[0] = "realms"; hierarchy[1] = realm; hierarchy[2] = "auth_to_local"; hierarchy[3] = (char *) NULL; - if (!(kret = profile_get_values(context->profile, - hierarchy, - &mapping_values))) { + kret = profile_get_values(context->profile, + hierarchy, + &mapping_values); + if (kret) { + kret = krb5_get_default_realm(context, &s); + if (!kret) { + defaulting_to_default_realm = TRUE; + hierarchy[1] = s; + kret = profile_get_values(context->profile, + hierarchy, + &mapping_values); + krb5_xfree(s); + } + } + if (!kret) { /* * Loop through all the mapping values. */ @@ -792,6 +811,12 @@ else #endif /* AN_TO_LN_RULES */ if (!strcmp(typep, "DEFAULT") && !argp) { + /* only honor a DEFAULT mapping if we didn't + * land here b/c we have no auth_to_local + * info for the principal's crealm + */ + kret = KRB5_LNAME_NOTRANS; + if (!defaulting_to_default_realm) { kret = default_an_to_ln(context, aname, lnsize, @@ -799,6 +824,7 @@ if (kret != KRB5_LNAME_NOTRANS) break; } + } else { kret = KRB5_CONFIG_BADFORMAT; break; @@ -810,12 +836,20 @@ } else { /* - * No profile relation found, try default mapping. + * No profile relation found, try default mapping, + * if principal is from local realm. */ - kret = default_an_to_ln(context, - aname, - lnsize, - lname); + kret = KRB5_LNAME_NOTRANS; + if (!(kret = krb5_get_default_realm(context, &s))) { + if (strlen(realm) == strlen(s) && + !strcmp(realm, s)) { + kret = default_an_to_ln(context, + aname, + lnsize, + lname); + } + krb5_xfree(s); + } } } free(mname); @@ -824,7 +858,7 @@ kret = ENOMEM; krb5_xfree(pname); } - krb5_xfree(realm); + free(realm); } return(kret); }