Look for auth_to_local in the default realm's realm section...

...rather than the authenticated principal's realm section. We do this both to maintain compatibility with MIT and because it makes more sense. We should likely also fix the auth_to_local_names as cursory inspection reveals that it has the same incompatibility.
2012-01-10 21:55:50 +00:00
parent e2b6a449ce
commit 2c5ec44d39
5 changed files with 13 additions and 17 deletions
--- a/lib/krb5/aname_to_localname.c
+++ b/lib/krb5/aname_to_localname.c
@@ -290,6 +290,7 @@ krb5_aname_to_localname(krb5_context context,
 {
    static heim_base_once_t reg_def_plugins = HEIM_BASE_ONCE_INIT;
    krb5_error_code ret;
+    krb5_realm realm;
    size_t i;
    char **rules = NULL;
    char *rule;
@@ -304,8 +305,13 @@ krb5_aname_to_localname(krb5_context context,
    if (ret != KRB5_PLUGIN_NO_HANDLE)
 	return ret;

-    rules = krb5_config_get_strings(context, NULL, "realms", aname->realm,
+    ret = krb5_get_default_realm(context, &realm);
+    if (ret)
+	return ret;
+
+    rules = krb5_config_get_strings(context, NULL, "realms", realm,
 				    "auth_to_local", NULL);
+    krb5_xfree(realm);
    if (!rules) {
 	/* Heimdal's default rule */
 	ret = an2ln_default(context, "HEIMDAL_DEFAULT", aname, lnsize, lname);
--- a/tests/kdc/an2ln-db.txt
+++ b/tests/kdc/an2ln-db.txt
@@ -70,7 +70,9 @@ f8cd2e85efa891af junk
 fd6e5e417b8296a7 junk
 foo/mapped1@TEST2.H5L.SE foo_mapped
 mapped1@TEST2.H5L.SE m1
+mapped1@TEST3.H5L.SE mapped1
 mapped2@TEST2.H5L.SE m2
+mapped2@TEST3.H5L.SE mapped2
 z008213d189aac2b junk
 z07644c5c50f29d5 junk
 z094067ad439189c junk
--- a/tests/kdc/check-authz.in
+++ b/tests/kdc/check-authz.in
@@ -79,8 +79,8 @@ check_localname mapped1@${R2} 0 m1 || exit 1
 check_localname mapped2@${R2} 0 m2 || exit 1
 check_localname mapped1@${R3} 0 mapped1 || exit 1
 check_localname mapped2@${R3} 0 mapped2 || exit 1
-check_localname notmapped1@${R} 1 || exit 1
-check_localname notmapped1@${R2} 1 || exit 1
+check_localname notmapped1@${R} 0 notmapped1 || exit 1
+check_localname notmapped1@${R2} 0 notmapped1 || exit 1
 check_localname notmapped1@${R3} 0 notmapped1 || exit 1

 echo "Checking 1-component principal names in non-default realm"
--- a/tests/kdc/krb5-authz.conf.in
+++ b/tests/kdc/krb5-authz.conf.in
@@ -15,13 +15,7 @@
 		mapped1 = foo
 		mapped2 = bar
 	    }
-	    auth_to_local = NONE
-	}
-	TEST2.H5L.SE = {
-	    auth_to_local = DB:@srcdir@/an2ln-db.txt
-	}
-	TEST3.H5L.SE = {
-	    auth_to_local = DEFAULT
+	    auth_to_local = DB:./an2ln-db.txt DEFAULT
 	}

 [logging]
--- a/tests/kdc/krb5-authz2.conf.in
+++ b/tests/kdc/krb5-authz2.conf.in
@@ -16,13 +16,7 @@
 		mapped1 = foo
 		mapped2 = bar
 	    }
-	    auth_to_local = NONE
-	}
-	TEST2.H5L.SE = {
-	    auth_to_local = DB:@srcdir@/an2ln-db.txt
-	}
-	TEST3.H5L.SE = {
-	    auth_to_local = DEFAULT
+	    auth_to_local = DB:./an2ln-db.txt DEFAULT
 	}

 [logging]