Index: libapache-mod-auth-kerb-5.3/src/mod_auth_kerb.c =================================================================== --- libapache-mod-auth-kerb-5.3.orig/src/mod_auth_kerb.c 2008-05-08 10:30:59.000000000 +0200 +++ libapache-mod-auth-kerb-5.3/src/mod_auth_kerb.c 2008-05-08 10:31:05.000000000 +0200 @@ -165,6 +165,7 @@ char *krb_5_keytab; int krb_method_gssapi; int krb_method_k5pass; + int krb5_auth_to_local; #endif #ifdef KRB4 char *krb_4_srvtab; @@ -227,6 +228,9 @@ command("KrbMethodK5Passwd", ap_set_flag_slot, krb_method_k5pass, FLAG, "Enable Kerberos V5 password authentication."), + + command("Krb5AuthToLocal", ap_set_flag_slot, krb5_auth_to_local, + FLAG, "Enable Kerberos V5 auth_to_local mapping."), #endif #ifdef KRB4 @@ -322,6 +326,7 @@ #ifdef KRB5 ((kerb_auth_config *)rec)->krb_method_k5pass = 1; ((kerb_auth_config *)rec)->krb_method_gssapi = 1; + ((kerb_auth_config *)rec)->krb5_auth_to_local = 0; #endif #ifdef KRB4 ((kerb_auth_config *)rec)->krb_method_k4pass = 1; @@ -746,6 +751,78 @@ } static int +do_krb5_an_to_ln(request_rec *r, const kerb_auth_config *conf, MK_POOL *p) +{ + const int lname_size = 1024; + + krb5_context kcontext; + krb5_principal princ; + krb5_error_code code; + char lname[lname_size]; + int ret; + + if (!conf->krb5_auth_to_local) { + return OK; + } + + ret = HTTP_INTERNAL_SERVER_ERROR; + + code = krb5_init_context(&kcontext); + if (code) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Cannot initialize Kerberos5 context (%d)", code); + return HTTP_INTERNAL_SERVER_ERROR; + } + + code = krb5_parse_name(kcontext, MK_USER, &princ); + if (code) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_parse_name() failed for name %s: %s", + MK_USER, + krb5_get_err_text(kcontext, code)); + krb5_free_context(kcontext); + return HTTP_INTERNAL_SERVER_ERROR; + } + + code = krb5_aname_to_localname(kcontext, princ, sizeof(lname), lname); + if (code) { + if (code != KRB5_LNAME_NOTRANS) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_aname_to_localname() failed: %s", + krb5_get_err_text(kcontext, code)); + /* fall through */ + } + else { + log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, + "krb5_aname_to_localname() found no " + "mapping for principal %s", + MK_USER); + /* fall through */ + } + } + else { + /* Does this belong in an authz handler? */ + if (!krb5_kuserok(kcontext, princ, lname)) { + log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, + "krb5_kuserok(%s, %s) == false", + MK_USER, lname); + ret = HTTP_UNAUTHORIZED; + } + else { + log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, + "doing auth_to_local: %s -> %s", + MK_USER, lname); + MK_USER = apr_pstrdup(p, lname); + ret = OK; + } + } + krb5_free_principal(kcontext, princ); + krb5_free_context(kcontext); + + return ret; +} + +static int krb5_cache_cleanup(void *data) { krb5_context context; @@ -1537,11 +1614,17 @@ #ifdef KRB5 if (use_krb5 && conf->krb_method_gssapi && - strcasecmp(auth_type, MECH_NEGOTIATE) == 0) { - ret = authenticate_user_gss(r, conf, auth_line, &negotiate_ret_value); + strcasecmp(auth_type, MECH_NEGOTIATE) == 0) { + ret = authenticate_user_gss(r, conf, auth_line, &negotiate_ret_value); + if (ret == OK) { + ret = do_krb5_an_to_ln(r, conf, r->connection->pool); + } } else if (use_krb5 && conf->krb_method_k5pass && - strcasecmp(auth_type, "Basic") == 0) { - ret = authenticate_user_krb5pwd(r, conf, auth_line); + strcasecmp(auth_type, "Basic") == 0) { + ret = authenticate_user_krb5pwd(r, conf, auth_line); + if (ret == OK) { + ret = do_krb5_an_to_ln(r, conf, r->pool); + } } #endif