Re: krb_match_realm

Henry B. Hotz wrote:
> Thank you very much. This helps, but I'm still evaluating how much.
>
> I *can* point at one problem though: you do a strchr(gbuf.value, '@')
> and then error out if there isn't a Kerberos realm there. In fact that
> is exactly the default username of at least one of the GSSAPI
> implementations I've tested if the realm is the same as the local
> default realm.

Eh, so how do we then determine the difference between local realm and
no realm given?

> I'm not entirely sure what the intended semantics of krb_match_realm
> are, but if you're trying to match the GSSAPI-authenticated name against
> "value_of(PGUSER)@value_of(krb_match_realm)" then you need to construct
> that string, gss_import_name() it, and then gss_compare_name() the
> imported name with the authenticated name that GSSAPI already gave you.
> I know the API overhead of doing that is a PITA, but that's what's going
> to work.

Why?

(FWIW, it works perfectly fine in my test setups, so I'd really like to
know why this won't work)

> I also notice you have some code to do case insensitive name matching.
> I assume this is to take care of the fact that Microsoft Kerberos does
> case insensitive name matching (contrary to the standard and the other
> Kerberos implementations out there). I suspect issues there, but it
> will be 3-6 months before I will have an environment where I can easily
> test this. Most likely, the way to handle this is by figuring out what
> case Microsoft uses for each name inside the protocol and then
> pre-mapping to that case before feeding things to (non-Microsoft) GSSAPI.

Yes, it's for supporting Active Directory. It's there in the same way
it's there for krb5.

> I don't regard the case mapping issues as serious. We may not have the
> intended level of Windows/Unix compatibility, but I don't expect other
> issues. In other words I'm not even going to think about it until it's
> easy for me to investigate.

Note that it's turned *off* by default, so it shouldn't even affect you.

>> Attached patch implements krb_match_realm for krb5, gssapi and sspi per
>> complaint from Henry. Comments welcome.
>>
>> Working on documentation which will of course be ready when it's
>> committed :)
>>
>> Oh, and it changes the krb username handling to be the same as the
>> gssapi one. I've never heard of anybody actually using the other version
>> that it used to support, and the comment clearly states that it was
>> broken for the really complex scenarios anyway - something nobody has
>> complained about.
>
> Well, *I* complained about it. ;-)

Um, not sure we're talking about the same thing. I know you complained
about the inability to match realm, but did you complain about the
inability to use things like full X.500 names as usernames?

//Magnus