8 Jul
2009
8 Jul
'09
2:27 a.m.
On Tue, 2009-03-03 at 13:56 -0500, Bryan Jacobs wrote:
Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes cross-realm GSSAPI authentication.
Changes it makes:
- When using krb5_kuserok, do not call gss_compare_name to check that authn_name and authz_name are the same. Instead, make TWO calls to krb5_kuserok, one for each ID. If both IDs are acceptable, allow the login.
I'm just wondering. Is the authz_name check really necessary? Simplified, the code is basically:
krb5_parse_name(ctx, username, &princ); ok = krb5_kuserok(ctx, princ, username);
Are there really situations where the above code produces ok=FALSE?
Also do you have any ideas why after your patch it fails here: http://dovecot.org/list/dovecot/2009-June/040672.html
Maybe instead of always using krb5_userok() it's used only when authn_name != authz_name?