Ticket History #2023: auth_to_localnames drops realm before match

fix at least one bug in this patch

--- krb5-1.4.2/src/lib/krb5/os/an_to_ln.c.realm-specific_an_to_ln 2004-07-02 17:32:17.000000000 -0400
+++ krb5-1.4.2/src/lib/krb5/os/an_to_ln.c 2005-09-28 09:34:42.042924673 -0400
@@ -614,8 +614,7 @@
#endif /* AN_TO_LN_RULES */

/*
- * Implementation: This version checks the realm to see if it is the local
- * realm; if so, and there is exactly one non-realm component to the name,
+ * Implementation: If there is exactly one non-realm component to the name,
* that name is returned as the lname.
*/
static krb5_error_code
@@ -630,11 +629,6 @@
if ((retval = krb5_get_default_realm(context, &def_realm))) {
return(retval);
}
- if (((size_t) realm_length != strlen(def_realm)) ||
- (memcmp(def_realm, krb5_princ_realm(context, aname)->data, realm_length))) {
- free(def_realm);
- return KRB5_LNAME_NOTRANS;
- }

if (krb5_princ_size(context, aname) != 1) {
if (krb5_princ_size(context, aname) == 2 ) {
@@ -687,6 +681,9 @@
char *cp, *s;
char *typep, *argp;
unsigned int lnsize;
+ const krb5_data *conven_prealm;
+ krb5_boolean defaulting_to_default_realm;
+

if (lnsize_in < 0)
return KRB5_CONFIG_NOTENUFSPACE;
@@ -694,9 +691,15 @@
lnsize = lnsize_in; /* Unsigned */

/*
- * First get the default realm.
+ * First get the *incoming* principal's realm
*/
- if (!(kret = krb5_get_default_realm(context, &realm))) {
+ conven_prealm = krb5_princ_realm(context, aname);
+ realm = malloc(conven_prealm->length + 1);
+ kret = ENOMEM;
+
+ if (realm) {
+ strncpy(realm, conven_prealm->data, conven_prealm->length);
+ realm[conven_prealm->length] = '\0';
/* Flatten the name */
if (!(kret = krb5_unparse_name(context, aname, &pname))) {
if ((mname = aname_full_to_mapping_name(pname))) {
@@ -743,6 +746,9 @@
*
* [realms]->realm->"auth_to_local"
*
+ * Check first for the realm of the incoming princ.
+ * In the absence of any config for it, try the default realm.
+ *
* This can have one or more of the following kinds of
* values:
* DB:<filename> - Look up principal in aname database.
@@ -750,13 +756,26 @@
* DEFAULT - Use default rule.
* The first rule to find a match is used.
*/
+ defaulting_to_default_realm = FALSE;
hierarchy[0] = "realms";
hierarchy[1] = realm;
hierarchy[2] = "auth_to_local";
hierarchy[3] = (char *) NULL;
- if (!(kret = profile_get_values(context->profile,
- hierarchy,
- &mapping_values))) {
+ kret = profile_get_values(context->profile,
+ hierarchy,
+ &mapping_values);
+ if (kret) {
+ kret = krb5_get_default_realm(context, &s);
+ if (!kret) {
+ defaulting_to_default_realm = TRUE;
+ hierarchy[1] = s;
+ kret = profile_get_values(context->profile,
+ hierarchy,
+ &mapping_values);
+ krb5_xfree(s);
+ }
+ }
+ if (!kret) {
/*
* Loop through all the mapping values.
*/
@@ -792,6 +811,12 @@
else
#endif /* AN_TO_LN_RULES */
if (!strcmp(typep, "DEFAULT") && !argp) {
+ /* only honor a DEFAULT mapping if we didn't
+ * land here b/c we have no auth_to_local
+ * info for the principal's crealm
+ */
+ kret = KRB5_LNAME_NOTRANS;
+ if (!defaulting_to_default_realm) {
kret = default_an_to_ln(context,
aname,
lnsize,
@@ -799,6 +824,7 @@
if (kret != KRB5_LNAME_NOTRANS)
break;
}
+ }
else {
kret = KRB5_CONFIG_BADFORMAT;
break;
@@ -810,12 +836,20 @@
}
else {
/*
- * No profile relation found, try default mapping.
+ * No profile relation found, try default mapping,
+ * if principal is from local realm.
*/
- kret = default_an_to_ln(context,
- aname,
- lnsize,
- lname);
+ kret = KRB5_LNAME_NOTRANS;
+ if (!(kret = krb5_get_default_realm(context, &s))) {
+ if (strlen(realm) == strlen(s) &&
+ !strcmp(realm, s)) {
+ kret = default_an_to_ln(context,
+ aname,
+ lnsize,
+ lname);
+ }
+ krb5_xfree(s);
+ }
}
}
free(mname);
@@ -824,7 +858,7 @@
kret = ENOMEM;
krb5_xfree(pname);
}
- krb5_xfree(realm);
+ free(realm);
}
return(kret);
}