krb5_plugin: Add winbind localauth plugin for MIT Kerberos

Applications (like OpenSSH) don't know about users and and
their relationship to Kerberos principals. This plugin allows that
Kerberos principals can be validated against local user accounts.

Administrator@WURST.WORLD -> WURST\Administrator

https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/localauth.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13480

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 5e89a23ffaceccdc83d70a4ab2798ae25c10d580)

1 files changed, 13 insertions, 0 deletions

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 2ca0f8e1ca4..c9f3554844c 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -488,6 +488,19 @@ This new module integrates with Sophos, F-Secure and ClamAV anti-virus
 software to provide scanning and filtering of files on a Samba share.
 
 
+Local authorization plugin for MIT Kerberos
+-------------------------------------------
+
+This plugin controls the relationship between Kerberos principals and AD
+accounts through winbind. The module receives the Kerberos principal and the
+local account name as inputs and can then check if they match. This can resolve
+issues with canonicalized names returned by Kerberos within AD. If the user
+tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
+Kerberos would return ALICE as the username. Kerberos would not be able to map
+'alice' to 'ALICE' in this case and auth would fail.  With this plugin account
+names can be correctly mapped. This only applies to GSSAPI authentication,
+not for the geting the initial ticket granting ticket.
+
 REMOVED FEATURES
 ================