GSSAPI plugin and kerberos auth-to-local rules
Carson Gaspar
carson at taltos.org
Wed Oct 7 20:58:31 EDT 2009
Henry B. Hotz wrote:
>
> On Oct 7, 2009, at 4:40 PM, Carson Gaspar wrote:
>>
>> What worries me is that the native realm _is_ stripped. It shouldn't
>> be. I'm not
>> sure why gssapi_server_mech_step() does so.
>
> Because most programs are only set up to handle simple usernames.
>
> I thought it was only the Solaris implementation that did that (and only
> if the realm == the default realm in [libdefaults]). I gather you're
> seeing that elsewhere?
RTFS ;-)
It's potentially done on all platforms. And it's done IFF:
gss_import_name(x, "foo", defined(GSS_C_NT_USER_NAME) ? GSS_C_NT_USER_NAME :
GSS_C_NULL_OID, &result)
if ("foo at bar.baz" == result) { user = "foo" }
If you're using MIT krb5's libgssapi, yes that relates to the default realm.
Other GSSAPI implementations likely behave differently.
--
Carson
More information about the Cyrus-sasl
mailing list