kvalid_user Subroutine

Purpose

This routine maps the DCE principal to the local user account and determines if the DCE principal is allowed access to the account.

Library

Valid User Library (libvaliduser.a)

Syntax

int kvalid_user (char *princ_name, char *local_user)

Description

This routine is called when Kerberos 5 authentication is configured to determine if the incoming Kerberos 5 ticket should allow access to the local account.

This routine determines whether the DCE principal, specified by the princ_name parameter, is allowed access to the user's account identified by the local_user parameter. The routine accesses the $HOME/.k5login file for the users account. It looks for the string pointed to by princ_name in that file.

Access is granted if one of two things is true.

  1. The $HOME/.k5login file exists and the princ_name is in it.
  2. The $HOME/.k5login file does NOT exist and the DCE principal name is the same as the local user's name.

Parameters

Item Description
princ_name This parameter is a single-string representation of the Kerberos 5 principal. The Kerberos 5 libraries have two services, krb5_unparse_name and krb5_parse_name, which convert a krb5_principal structure to and from a single-string format. This routine expects the princ_name parameter to be a single-string form of the krb5_principal structure.
local_user This parameter is the character string holding the name of the local account.

Return Values

If the user is allowed access to the account, the kvalid_user routine returns TRUE.

If the user is NOT allowed access to the account or there was an error, the kvalid_user routine returns FALSE.