From 83f24636ef8d3d2b9c5be46272781ed5e0497ca7 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 18 Oct 2012 16:14:40 +0200
Subject: krb5_auth: check if principal belongs to a different realm

Add a flag if the principal used for authentication does not belong
to our realm. This can be used to act differently for users from other
realms.
---
 src/providers/krb5/krb5_auth.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'src/providers/krb5/krb5_auth.c')

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index c98535b1..72f0711e 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -427,6 +427,13 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
                 DEBUG(1, ("krb5_get_simple_upn failed.\n"));
                 goto done;
             }
+        } else {
+            ret = compare_principal_realm(kr->upn, realm,
+                                          &kr->upn_from_different_realm);
+            if (ret != 0) {
+                DEBUG(SSSDBG_OP_FAILURE, ("compare_principal_realm failed.\n"));
+                goto done;
+            }
         }
 
         kr->homedir = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_HOMEDIR,
-- 
cgit