jhrozek's pull request #19: "KRB5: Send the output username, not internal fqname to krb5_child" was opened
PR body: """ Resolves: https://fedorahosted.org/sssd/ticket/3172
krb5_child calls krb5_kuserok() during the access phase which checks if a particular user is allowed to authenticate as a particular principal. We used to pass the internal fqname to krb5_kuserok() which broke the functionality and all users were denied access.
This patch changes that to send the 'output' username to krb5_child, because that's the username the system receives through getpwnam() or getpwuid() anyway. The patch also adds a new structure member fo the krb5child_req structure to avoid reusing the pd->user variable but have an explicit one that serves as the input for the child process. """
See the full pull-request at https://github.com/SSSD/sssd/pull/19 ... or pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/19/head:pr19 git checkout pr19