localauth: make plugin non-authoritative on failures According to the documentation in localauth_plugin.h "aname will be considered authorized if at least one module returns 0 and all other modules return KRB5_PLUGIN_NO_HANDLE." So it is safe to always return KRB5_PLUGIN_NO_HANDLE because a different plugin has to return 0 to allow access to the given principal. Resolves https://fedorahosted.org/sssd/ticket/2788 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

localauth plugin: fix coverity warning Error: FORWARD_NULL (CWE-476): [#def1] sssd-1.12.90/src/krb5_plugin/sssd_krb5_localauth_plugin.c:111: assign_zero: Assigning: "pwd.pw_name" = "NULL". sssd-1.12.90/src/krb5_plugin/sssd_krb5_localauth_plugin.c:142: var_deref_model: Passing null pointer "pwd.pw_name" to "strdup", which dereferences it. 140| } 141| 142|-> str = strdup(pwd.pw_name); 143| if (str == NULL) { 144| ret = ENOMEM; Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Implement MIT Kerberos localauth plugin The MIT Kerberos localauth pluing interface defines two different calls. The first checks if a given Kerberos principal relates to a given name of a local user (userok). The implementation lets SSSD resolve the principal and the user name and if the returned user entries both have the same UID success is returned. The second translates a given Kerberos principal to a local user name (a2l). Here SSSD is only called once to resolve the principal and the user name is returned. Resolves https://fedorahosted.org/sssd/ticket/1835 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add conditional build for MIT Kerberos localauth plugin This patch adds everything what is needed to build the MIT Kerberos localauth plugin if the used version of MIT Kerberos supports it. It does not implement the plugin. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>