From nobody Sun Sep 14 15:21:03 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cPsLl3gRjz682k0;
	Sun, 14 Sep 2025 15:21:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cPsLl39ktz3HPR;
	Sun, 14 Sep 2025 15:21:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1757863263;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=vqbFW9LX3MHfntJ/biL5BjKJHKfn0xyDPSX3SXMgpbU=;
	b=q3r0fE6ietsI5bHxud7RrkbF+21ThdAsnAAFsrttfBEVnq5RRD4JAgc2f0waQPCsxhk4p4
	BXeXoZA97YRfQ3D/4BlOoTIq+rqisJzonbNm7sjYy16Gs8u3NCuAw40o7hyn62t6IF7CG8
	p6WuKdWwgwO5pp2e1GTyqCbJmDm0+t9eMsWHOkjCU8/W3nQds3wG4cgqXnM42j/m1qIyQE
	LVTREFgTspLTN8KgXOF7gcXvCdq0qWQwaASKA0NgwI5EGkN528hFv6lVksAoPEJf4xe3Wt
	Zh57z29/MYvF68oRSN8c/2mLmSoZZ4n0CqVWsnnKwoi1EnCWPHEdLTsqtdv7fA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1757863263;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=vqbFW9LX3MHfntJ/biL5BjKJHKfn0xyDPSX3SXMgpbU=;
	b=km1QjKTs0kvH54BTb51cmDS9EBnIa2vdzfucMlRI9fMUBbX6pSZzMFqJtNauZu24hCEpxb
	tE4ujkjZiQ+veroG4+Cxp4uf3J1YfJr+JbxP2fYtRgrklzXLHJcZOqUf/sSS2EWdV4c2bT
	kBnvPqWDqzGrFmJwbMiSD1nFZmhSuSl8SvV1cDkgN7DwlTNEtCWcDbJqIhpKKOj5vqb0PU
	UZ69f+2jqz9Sbqhg4cwXKx5vO7QC3Buxy58qIiJ7Clkk3C9sk2p1XaN/y2xEcMYXeu7Glr
	3ykO+1rjYgn6gH4Jd0FxEGtu5k+e+TZOsh29XaYnOVxGKEnkhHpQTwbigAYZnA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1757863263; a=rsa-sha256; cv=none;
	b=x036lYurMwrW5x3cVAsNOIxfMSK5VB9EKYvdTe45jrLuM7OLSH0QRWSJNV33UnBbaMfbBS
	vQao2WTuVqOjnGxSN+QQDwDr05YA7GnZ619NrU28HSwrC8Uz7mIrpD0WquASEcmo2FiJxU
	cz8m+JAZvwqNCo0DwFlLUDJiivqE1XZRJVTFFJxUY7yeznJCZUSaPMGwqUXIQRN2uCIG5s
	TwxJQDhWZDzepYAwZgQUs9kaqdMt4xFH8vwmqDgNdpJCyzQoQBSPAp1S5mXjeIxK9PLdOe
	Wj02wfO0B1AUyGVVEg71LR74uyteUIrQeoZw49PwZRso1s6Kfd09FOdAME1jsw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cPsLl2kq8zFg;
	Sun, 14 Sep 2025 15:21:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58EFL3LW015326;
	Sun, 14 Sep 2025 15:21:03 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58EFL3wu015323;
	Sun, 14 Sep 2025 15:21:03 GMT
	(envelope-from git)
Date: Sun, 14 Sep 2025 15:21:03 GMT
Message-Id: <202509141521.58EFL3wu015323@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Cy Schubert <cy@FreeBSD.org>
Subject: git: b36435210a1e - stable/15 - krb5: Enable PRINC_LOOK_AHEAD
  in ksu
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cy
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: b36435210a1e07b2704f65f6c69c0645ac2e5657
Auto-Submitted: auto-generated

The branch stable/15 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=b36435210a1e07b2704f65f6c69c0645ac2e5657

commit b36435210a1e07b2704f65f6c69c0645ac2e5657
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2025-09-10 20:13:08 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2025-09-14 15:20:53 +0000

    krb5: Enable PRINC_LOOK_AHEAD in ksu
    
    PRINC_LOOK_AHEAD is the upstream default. Normally ksu determines the
    target princiapl by (quoted from the man page)
    
    a. default principal of the source cache
    
    b. target_user@local_realm
    
    c. source_user@local_realm
    
    With PRINC_LOOK_AHEAD emabled, for each candidate in the above
    list, select an authorized principal that has the same realm name
    and first part of the principal name equal to the prefix of the
    candidate. For example if candidate a) is jqpublic@ISI.EDU and
    jqpublic/secure@ISI.EDU is authorized to access the target account
    then the default principal is set to jqpublic/secure@ISI.EDU.
    
    Case 2: source user is root.
    
    If the target user is non-root then the default principal name
    is target_user@local_realm.  Else, if the source cache exists
    the default principal name is set to the default principal of
    the source cache.  If the source cache does not exist, default
    principal name is set to root\@local_realm.
    
    This commit restores the same behaviour as Heimdal ksu.
    
    Reported by:            Dan Mahoney <dmahoney@isc.org>
    Requested by:           Dan Mahoney <dmahoney@isc.org>
    Differential revision:   https://reviews.freebsd.org/D52478
    
    (cherry picked from commit b0e7b55a0e90d737cf469b78e9785b492b3c0d0f)
---
 krb5/usr.bin/ksu/Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/krb5/usr.bin/ksu/Makefile b/krb5/usr.bin/ksu/Makefile
index aaec461ce0b0..93860e38ce5c 100644
--- a/krb5/usr.bin/ksu/Makefile
+++ b/krb5/usr.bin/ksu/Makefile
@@ -24,7 +24,8 @@ SRCS=	authorization.c \
 
 CFLAGS+=-I${KRB5_DIR}/include \
 	-I${KRB5_SRCTOP}/include \
-	-DGET_TGT_VIA_PASSWD
+	-DGET_TGT_VIA_PASSWD \
+	-DPRINC_LOOK_AHEAD
 
 MAN=	ksu.1