On Tue, 2009-03-03 at 13:56 -0500, Bryan Jacobs wrote: > Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes > cross-realm GSSAPI authentication. > > Changes it makes: > 1. When using krb5_kuserok, do not call gss_compare_name to check that > authn_name and authz_name are the same. Instead, make TWO calls to > krb5_kuserok, one for each ID. If both IDs are acceptable, allow the > login.
I'm just wondering. Is the authz_name check really necessary? Simplified, the code is basically: krb5_parse_name(ctx, username, &princ); ok = krb5_kuserok(ctx, princ, username); Are there really situations where the above code produces ok=FALSE? Also do you have any ideas why after your patch it fails here: http://dovecot.org/list/dovecot/2009-June/040672.html Maybe instead of always using krb5_userok() it's used only when authn_name != authz_name?
signature.asc
Description: This is a digitally signed message part
