gss_import_name() called with GSS_C_NT_USER_NAME

[Roland C. Dowdeswell]

instead of GSS_C_NT_HOSTBASED_SERVICE.

So, I'm debugging a problem where smbclient doesn't correctly
traverse my multiple realm environment but can only connect to
hosts in the same realm as the initiator.  I noticed the following
approximate pseudo-code snippet:
 
        sprintf(princ, "%s/%s@%s", service, host, realm);
        name_type = GSS_C_NT_USER_NAME;
 
        gss_import_name(..., princ, name_type, &name);
 
in source4/auth/gensec/gensec_gssapi.c lines 334-357 and
source3/librpc/crypto/gse.c lines 219-242.
 
In the source3 file, it has a comment indicating that it is intentionally
avoiding using the GSSAPI libraries because they may do DNS.

I would like to ask that this decision be reconsidered because I
do not think that it makes sense in the modern world.  I have a
few Kerberos realms and applications which use GSSAPI normally have
no difficulty traversing them either via DNS or KDC referrals.

In general, how this works is that you take the target hostname
from the user unmodified and:

	sprintf(gss_service, "%s@%s", service, hostname);
	name_type = GSS_C_NT_HOSTBASED_SERVICE;

	maj = gss_import_name(&min, &gss_service, name_type, &name);

This hands the unmodified hostname to the Kebreros libraries which
will then determine what realm the host is in.  Giving the name to
the Kereros libraries allows the site's configuration to specify
the realm consitently with other Kerberised applications, thus
negating user surprise as things work the same way across applications.

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/