GSSAPI plugin and kerberos auth-to-local rules
Howard Chu
hyc at highlandsun.com
Wed Oct 7 21:21:56 EDT 2009
Carson Gaspar wrote:
> Henry B. Hotz wrote:
>>
>> On Oct 7, 2009, at 4:40 PM, Carson Gaspar wrote:
>>>
>>> What worries me is that the native realm _is_ stripped. It shouldn't
>>> be. I'm not
>>> sure why gssapi_server_mech_step() does so.
>>
>> Because most programs are only set up to handle simple usernames.
>>
>> I thought it was only the Solaris implementation that did that (and only
>> if the realm == the default realm in [libdefaults]). I gather you're
>> seeing that elsewhere?
>
> RTFS ;-)
>
> It's potentially done on all platforms. And it's done IFF:
>
> gss_import_name(x, "foo", defined(GSS_C_NT_USER_NAME) ? GSS_C_NT_USER_NAME :
> GSS_C_NULL_OID,&result)
> if ("foo at bar.baz" == result) { user = "foo" }
>
> If you're using MIT krb5's libgssapi, yes that relates to the default realm.
> Other GSSAPI implementations likely behave differently.
This has always been the case in Cyrus SASL - if the realm name matches the
server's default realm, it is omitted. (CVS shows this behavior goes back to
version 1.1 in November '98.)
Even more confusing is that they don't bother to put the realm name into the
user_realm SASL parameter when they decide not to omit it. I've never gotten a
satisfactory answer about why. This is in stark contrast to the DIGEST-MD5
mechanism...
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the Cyrus-sasl
mailing list