1 files changed, 28 insertions, 13 deletions

diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
index a503744e52..bc02a0716a 100644
--- a/src/lib/gssapi/krb5/gssapi_krb5.c
+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
@@ -797,17 +797,28 @@ krb5_gss_pname_to_uid(OM_uint32 *minor,
 #endif /* !NO_PASSWORD */
 
 static OM_uint32
-krb5_gss_userok(OM_uint32 *minor,
-                const gss_name_t pname,
-                const char *local_user,
-                int *user_ok)
+krb5_gss_authorize_localname(OM_uint32 *minor,
+                             const gss_name_t pname,
+                             gss_const_buffer_t local_user,
+                             gss_const_OID name_type)
 {
     krb5_context context;
     krb5_error_code code;
     krb5_gss_name_t kname;
+    char *user;
+    int user_ok;
 
-    *minor = 0;
-    *user_ok = 0;
+    if (name_type != GSS_C_NO_OID &&
+        !g_OID_equal(name_type, GSS_C_NT_USER_NAME)) {
+        return GSS_S_BAD_NAMETYPE;
+    }
+
+    if (!kg_validate_name(pname)) {
+        *minor = (OM_uint32)G_VALIDATE_FAILED;
+        return GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME;
+    }
+
+    kname = (krb5_gss_name_t)pname;
 
     code = krb5_gss_init_context(&context);
     if (code != 0) {
@@ -815,19 +826,23 @@ krb5_gss_userok(OM_uint32 *minor,
         return GSS_S_FAILURE;
     }
 
-    if (!kg_validate_name(pname)) {
-        *minor = (OM_uint32)G_VALIDATE_FAILED;
+    user = k5alloc(local_user->length + 1, &code);
+    if (user == NULL) {
+        *minor = code;
         krb5_free_context(context);
-        return GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME;
+        return GSS_S_FAILURE;
     }
 
-    kname = (krb5_gss_name_t)pname;
+    memcpy(user, local_user->value, local_user->length);
+    user[local_user->length] = '\0';
 
-    *user_ok = krb5_kuserok(context, kname->princ, local_user);
+    user_ok = krb5_kuserok(context, kname->princ, user);
 
+    free(user);
     krb5_free_context(context);
 
-    return GSS_S_COMPLETE;
+    *minor = 0;
+    return user_ok ? GSS_S_COMPLETE : GSS_S_UNAUTHORIZED;
 }
 
 static struct gss_config krb5_mechanism = {
@@ -881,7 +896,7 @@ static struct gss_config krb5_mechanism = {
 #else
     krb5_gss_pname_to_uid,
 #endif
-    krb5_gss_userok,
+    krb5_gss_authorize_localname,
     krb5_gss_export_name,
     krb5_gss_duplicate_name,
     krb5_gss_store_cred,