From 2c5ec44d39ff029d40728943665356f44b176b6b Mon Sep 17 00:00:00 2001
From: "Roland C. Dowdeswell" <elric@imrryr.org>
Date: Tue, 10 Jan 2012 21:55:50 +0000
Subject: [PATCH] Look for auth_to_local in the default realm's realm
 section...

...rather than the authenticated principal's realm section.  We do
this both to maintain compatibility with MIT and because it makes
more sense.  We should likely also fix the auth_to_local_names as
cursory inspection reveals that it has the same incompatibility.
---
 lib/krb5/aname_to_localname.c | 8 +++++++-
 tests/kdc/an2ln-db.txt        | 2 ++
 tests/kdc/check-authz.in      | 4 ++--
 tests/kdc/krb5-authz.conf.in  | 8 +-------
 tests/kdc/krb5-authz2.conf.in | 8 +-------
 5 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/lib/krb5/aname_to_localname.c b/lib/krb5/aname_to_localname.c
index ed96ea3d4..49c9554a6 100644
--- a/lib/krb5/aname_to_localname.c
+++ b/lib/krb5/aname_to_localname.c
@@ -290,6 +290,7 @@ krb5_aname_to_localname(krb5_context context,
 {
     static heim_base_once_t reg_def_plugins = HEIM_BASE_ONCE_INIT;
     krb5_error_code ret;
+    krb5_realm realm;
     size_t i;
     char **rules = NULL;
     char *rule;
@@ -304,8 +305,13 @@ krb5_aname_to_localname(krb5_context context,
     if (ret != KRB5_PLUGIN_NO_HANDLE)
 	return ret;
 
-    rules = krb5_config_get_strings(context, NULL, "realms", aname->realm,
+    ret = krb5_get_default_realm(context, &realm);
+    if (ret)
+	return ret;
+
+    rules = krb5_config_get_strings(context, NULL, "realms", realm,
 				    "auth_to_local", NULL);
+    krb5_xfree(realm);
     if (!rules) {
 	/* Heimdal's default rule */
 	ret = an2ln_default(context, "HEIMDAL_DEFAULT", aname, lnsize, lname);
diff --git a/tests/kdc/an2ln-db.txt b/tests/kdc/an2ln-db.txt
index 511d957e6..39e1a5018 100644
--- a/tests/kdc/an2ln-db.txt
+++ b/tests/kdc/an2ln-db.txt
@@ -70,7 +70,9 @@ f8cd2e85efa891af junk
 fd6e5e417b8296a7 junk
 foo/mapped1@TEST2.H5L.SE foo_mapped
 mapped1@TEST2.H5L.SE m1
+mapped1@TEST3.H5L.SE mapped1
 mapped2@TEST2.H5L.SE m2
+mapped2@TEST3.H5L.SE mapped2
 z008213d189aac2b junk
 z07644c5c50f29d5 junk
 z094067ad439189c junk
diff --git a/tests/kdc/check-authz.in b/tests/kdc/check-authz.in
index c2e373a3f..9acd7f05d 100644
--- a/tests/kdc/check-authz.in
+++ b/tests/kdc/check-authz.in
@@ -79,8 +79,8 @@ check_localname mapped1@${R2} 0 m1 || exit 1
 check_localname mapped2@${R2} 0 m2 || exit 1
 check_localname mapped1@${R3} 0 mapped1 || exit 1
 check_localname mapped2@${R3} 0 mapped2 || exit 1
-check_localname notmapped1@${R} 1 || exit 1
-check_localname notmapped1@${R2} 1 || exit 1
+check_localname notmapped1@${R} 0 notmapped1 || exit 1
+check_localname notmapped1@${R2} 0 notmapped1 || exit 1
 check_localname notmapped1@${R3} 0 notmapped1 || exit 1
 
 echo "Checking 1-component principal names in non-default realm"
diff --git a/tests/kdc/krb5-authz.conf.in b/tests/kdc/krb5-authz.conf.in
index 899f41740..bd6e2cba1 100644
--- a/tests/kdc/krb5-authz.conf.in
+++ b/tests/kdc/krb5-authz.conf.in
@@ -15,13 +15,7 @@
 		mapped1 = foo
 		mapped2 = bar
 	    }
-	    auth_to_local = NONE
-	}
-	TEST2.H5L.SE = {
-	    auth_to_local = DB:@srcdir@/an2ln-db.txt
-	}
-	TEST3.H5L.SE = {
-	    auth_to_local = DEFAULT
+	    auth_to_local = DB:./an2ln-db.txt DEFAULT
 	}
 
 [logging]
diff --git a/tests/kdc/krb5-authz2.conf.in b/tests/kdc/krb5-authz2.conf.in
index 4179cda94..2f805fb44 100644
--- a/tests/kdc/krb5-authz2.conf.in
+++ b/tests/kdc/krb5-authz2.conf.in
@@ -16,13 +16,7 @@
 		mapped1 = foo
 		mapped2 = bar
 	    }
-	    auth_to_local = NONE
-	}
-	TEST2.H5L.SE = {
-	    auth_to_local = DB:@srcdir@/an2ln-db.txt
-	}
-	TEST3.H5L.SE = {
-	    auth_to_local = DEFAULT
+	    auth_to_local = DB:./an2ln-db.txt DEFAULT
 	}
 
 [logging]