+ krb5_free_principal(kcontext, princ);
+ if (problem) {
+ snprintf(errstr, sizeof(errstr), "Failed to store credentials: %s",
+ krb5_get_err_text(kcontext, problem));
+ krb5_cc_destroy(kcontext, ccache);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ krb5_cc_close(kcontext, ccache);
+ return OK;
+}
+
+
+int authenticate_user_krb5pwd(request_rec *r,
+ kerb_auth_config *conf,
+ const char *auth_line)
+{
+ const char *sent_pw = NULL;
+ const char *sent_name = NULL;
+ const char *realms = NULL;
+ krb5_context kcontext = NULL;
+ krb5_error_code code;
+ krb5_principal client = NULL;
+ krb5_ccache ccache = NULL;
+ krb5_keytab keytab = NULL;
+ int ret;
+ char *name = NULL;
+ int all_principals_unkown;
+
+ code = krb5_init_context(&kcontext);
+ if (code) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Cannot initialize Kerberos5 context (%d)", code);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ sent_pw = ap_pbase64decode(r->pool, auth_line);
+ sent_name = ap_getword (r->pool, &sent_pw, ':');
+ /* do not allow user to override realm setting of server */
+ if (strchr(sent_name, '@')) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "specifying realm in user name is prohibited");
+ ret = HTTP_UNAUTHORIZED;
+ goto end;
+ }
+
+ if (sent_pw == NULL || *sent_pw == '\0') {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "empty passwords are not accepted");
+ ret = HTTP_UNAUTHORIZED;
+ goto end;
+ }
+
+ if (conf->krb_5_keytab)
+ krb5_kt_resolve(kcontext, conf->krb_5_keytab, &keytab);
+
+ all_principals_unkown = 1;
+ realms = conf->krb_auth_realms;
+ do {
+ if (realms && (code = krb5_set_default_realm(kcontext,
+ ap_getword_white(r->pool, &realms)))){
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "krb5_set_default_realm() failed: %s",