sspi-rs icon indicating copy to clipboard operation
sspi-rs copied to clipboard
verified publisher icon Devolutions

Domain_realm mapping interop with MIT Kerberos

Open grawity opened this issue 1 year ago • 1 comments

I don't know whether the implementation of the krb5.conf file is meant to be fully compatible with MIT Kerberos (which defined the file) but posting anyway.

#326 added:

fn matches_domain(domain: &str, mapping_domain: &str) -> bool {
    if mapping_domain.starts_with('.') {
        domain
            .split_once('.')
            .map(|(_, remaining)| remaining.eq_ignore_ascii_case(&mapping_domain[1..]))
            .unwrap_or(false)
    } else {
        domain.eq_ignore_ascii_case(mapping_domain)
    }
    domain.to_string()
}

which, if I understand the code correctly, treats example.com as an exact match and .example.com as a suffix match.

According to https://github.com/krb5/krb5/commit/8f5ce824012f2caab6770df464f096c38dc4cb2e, however, that's not how MIT Kerberos handles it – their docs claimed it did but that didn't match the code, and they chose to keep the code behavior and change docs. So instead, a plain example.com matches itself and subdomains (unless overridden by an explicit .example.com setting), whereas .example.com only matches subdomains but not itself.

(I don't know how Heimdal Kerberos handles it; couldn't figure out the code.)

grawity avatar Nov 25 '24 17:11 grawity

Thank you for reporting this. I think we should aim to be as close as possible. FYI @TheBestTvarynka

CBenoit avatar Nov 26 '24 00:11 CBenoit