The branch main has been updated by cy:
URL:
https://cgit.FreeBSD.org/src/commit/?id=b0e7b55a0e90d737cf469b78e9785b492b3c0d0f
commit b0e7b55a0e90d737cf469b78e9785b492b3c0d0f
Author: Cy Schubert <c...@freebsd.org>
AuthorDate: 2025-09-10 20:13:08 +0000
Commit: Cy Schubert <c...@freebsd.org>
CommitDate: 2025-09-12 14:32:48 +0000
krb5: Enable PRINC_LOOK_AHEAD in ksu
PRINC_LOOK_AHEAD is the upstream default. Normally ksu determines the
target princiapl by (quoted from the man page)
a. default principal of the source cache
b. target_user@local_realm
c. source_user@local_realm
With PRINC_LOOK_AHEAD emabled, for each candidate in the above
list, select an authorized principal that has the same realm name
and first part of the principal name equal to the prefix of the
candidate. For example if candidate a) is jqpub...@isi.edu and
jqpublic/sec...@isi.edu is authorized to access the target account
then the default principal is set to jqpublic/sec...@isi.edu.
Case 2: source user is root.
If the target user is non-root then the default principal name
is target_user@local_realm. Else, if the source cache exists
the default principal name is set to the default principal of
the source cache. If the source cache does not exist, default
principal name is set to root\@local_realm.
This commit restores the same behaviour as Heimdal ksu.
Reported by: Dan Mahoney <dmaho...@isc.org>
Requested by: Dan Mahoney <dmaho...@isc.org>
MFC after: 3 days
MFC to: 15/stable
Differential revision: https://reviews.freebsd.org/D52478
---
krb5/usr.bin/ksu/Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/krb5/usr.bin/ksu/Makefile b/krb5/usr.bin/ksu/Makefile
index aaec461ce0b0..93860e38ce5c 100644
--- a/krb5/usr.bin/ksu/Makefile
+++ b/krb5/usr.bin/ksu/Makefile
@@ -24,7 +24,8 @@ SRCS= authorization.c \
CFLAGS+=-I${KRB5_DIR}/include \
-I${KRB5_SRCTOP}/include \
- -DGET_TGT_VIA_PASSWD
+ -DGET_TGT_VIA_PASSWD \
+ -DPRINC_LOOK_AHEAD
MAN= ksu.1
