1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
Index: libapache-mod-auth-kerb-5.3/src/mod_auth_kerb.c
===================================================================
--- libapache-mod-auth-kerb-5.3.orig/src/mod_auth_kerb.c 2008-05-08 10:30:59.000000000 +0200
+++ libapache-mod-auth-kerb-5.3/src/mod_auth_kerb.c 2008-05-08 10:31:05.000000000 +0200
@@ -165,6 +165,7 @@
char *krb_5_keytab;
int krb_method_gssapi;
int krb_method_k5pass;
+ int krb5_auth_to_local;
#endif
#ifdef KRB4
char *krb_4_srvtab;
@@ -227,6 +228,9 @@
command("KrbMethodK5Passwd", ap_set_flag_slot, krb_method_k5pass,
FLAG, "Enable Kerberos V5 password authentication."),
+
+ command("Krb5AuthToLocal", ap_set_flag_slot, krb5_auth_to_local,
+ FLAG, "Enable Kerberos V5 auth_to_local mapping."),
#endif
#ifdef KRB4
@@ -322,6 +326,7 @@
#ifdef KRB5
((kerb_auth_config *)rec)->krb_method_k5pass = 1;
((kerb_auth_config *)rec)->krb_method_gssapi = 1;
+ ((kerb_auth_config *)rec)->krb5_auth_to_local = 0;
#endif
#ifdef KRB4
((kerb_auth_config *)rec)->krb_method_k4pass = 1;
@@ -746,6 +751,78 @@
}
static int
+do_krb5_an_to_ln(request_rec *r, const kerb_auth_config *conf, MK_POOL *p)
+{
+ const int lname_size = 1024;
+
+ krb5_context kcontext;
+ krb5_principal princ;
+ krb5_error_code code;
+ char lname[lname_size];
+ int ret;
+
+ if (!conf->krb5_auth_to_local) {
+ return OK;
+ }
+
+ ret = HTTP_INTERNAL_SERVER_ERROR;
+
+ code = krb5_init_context(&kcontext);
+ if (code) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Cannot initialize Kerberos5 context (%d)", code);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ code = krb5_parse_name(kcontext, MK_USER, &princ);
+ if (code) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "krb5_parse_name() failed for name %s: %s",
+ MK_USER,
+ krb5_get_err_text(kcontext, code));
+ krb5_free_context(kcontext);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ code = krb5_aname_to_localname(kcontext, princ, sizeof(lname), lname);
+ if (code) {
+ if (code != KRB5_LNAME_NOTRANS) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "krb5_aname_to_localname() failed: %s",
+ krb5_get_err_text(kcontext, code));
+ /* fall through */
+ }
+ else {
+ log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
+ "krb5_aname_to_localname() found no "
+ "mapping for principal %s",
+ MK_USER);
+ /* fall through */
+ }
+ }
+ else {
+ /* Does this belong in an authz handler? */
+ if (!krb5_kuserok(kcontext, princ, lname)) {
+ log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
+ "krb5_kuserok(%s, %s) == false",
+ MK_USER, lname);
+ ret = HTTP_UNAUTHORIZED;
+ }
+ else {
+ log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
+ "doing auth_to_local: %s -> %s",
+ MK_USER, lname);
+ MK_USER = apr_pstrdup(p, lname);
+ ret = OK;
+ }
+ }
+ krb5_free_principal(kcontext, princ);
+ krb5_free_context(kcontext);
+
+ return ret;
+}
+
+static int
krb5_cache_cleanup(void *data)
{
krb5_context context;
@@ -1537,11 +1614,17 @@
#ifdef KRB5
if (use_krb5 && conf->krb_method_gssapi &&
- strcasecmp(auth_type, MECH_NEGOTIATE) == 0) {
- ret = authenticate_user_gss(r, conf, auth_line, &negotiate_ret_value);
+ strcasecmp(auth_type, MECH_NEGOTIATE) == 0) {
+ ret = authenticate_user_gss(r, conf, auth_line, &negotiate_ret_value);
+ if (ret == OK) {
+ ret = do_krb5_an_to_ln(r, conf, r->connection->pool);
+ }
} else if (use_krb5 && conf->krb_method_k5pass &&
- strcasecmp(auth_type, "Basic") == 0) {
- ret = authenticate_user_krb5pwd(r, conf, auth_line);
+ strcasecmp(auth_type, "Basic") == 0) {
+ ret = authenticate_user_krb5pwd(r, conf, auth_line);
+ if (ret == OK) {
+ ret = do_krb5_an_to_ln(r, conf, r->pool);
+ }
}
#endif
|
