GSSAPI plugin and kerberos auth-to-local rules

Howard Chu hyc at highlandsun.com
Wed Oct 7 21:21:56 EDT 2009


Carson Gaspar wrote:
> Henry B. Hotz wrote:
>>
>> On Oct 7, 2009, at 4:40 PM, Carson Gaspar wrote:
>>>
>>> What worries me is that the native realm _is_ stripped. It shouldn't
>>> be. I'm not
>>> sure why gssapi_server_mech_step() does so.
>>
>> Because most programs are only set up to handle simple usernames.
>>
>> I thought it was only the Solaris implementation that did that (and only
>> if the realm == the default realm in [libdefaults]).  I gather you're
>> seeing that elsewhere?
>
> RTFS ;-)
>
> It's potentially done on all platforms. And it's done IFF:
>
> gss_import_name(x, "foo", defined(GSS_C_NT_USER_NAME) ? GSS_C_NT_USER_NAME :
> GSS_C_NULL_OID,&result)
> if ("foo at bar.baz" == result) { user = "foo" }
>
> If you're using MIT krb5's libgssapi, yes that relates to the default realm.
> Other GSSAPI implementations likely behave differently.

This has always been the case in Cyrus SASL - if the realm name matches the 
server's default realm, it is omitted. (CVS shows this behavior goes back to 
version 1.1 in November '98.)

Even more confusing is that they don't bother to put the realm name into the 
user_realm SASL parameter when they decide not to omit it. I've never gotten a 
satisfactory answer about why. This is in stark contrast to the DIGEST-MD5 
mechanism...

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


More information about the Cyrus-sasl mailing list