search for: krb5_userok

...m.diff.bz2 It works for me on MIT-kerb, and I tested compilation against heimdal, but I don't have a cross-realm setup to test functionality under heimdal (though I also have no reason to think it wouldn't work). Since neither MIT nor heimdal provide a gss_userok() function, I used the krb5_userok() function. So if you're using a mechanism other than krb5 this won't work. But it's the same thing that OpenSSH and the apps distributed with heimdal do, so it seemed relatively safe. I also choose to append the krb5_userok() check rather than replace the gss_compare_name() check -...

Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes cross-realm GSSAPI authentication. Changes it makes: 1. When using krb5_kuserok, do not call gss_compare_name to check that authn_name and authz_name are the same. Instead, make TWO calls to krb5_kuserok, one for each ID. If both IDs are acceptable, allow the login. 2. Disable checking that the name is a