Domain_realm mapping interop with MIT Kerberos

[grawity]

I don't know whether the implementation of the krb5.conf file is meant to be fully compatible with MIT Kerberos (which defined the file) but posting anyway.

#326 added:

fn matches_domain(domain: &str, mapping_domain: &str) -> bool {
    if mapping_domain.starts_with('.') {
        domain
            .split_once('.')
            .map(|(_, remaining)| remaining.eq_ignore_ascii_case(&mapping_domain[1..]))
            .unwrap_or(false)
    } else {
        domain.eq_ignore_ascii_case(mapping_domain)
    }
    domain.to_string()
}

which, if I understand the code correctly, treats example.com as an exact match and .example.com as a suffix match.

According to krb5/krb5@8f5ce82, however, that's not how MIT Kerberos handles it – their docs claimed it did but that
didn't match the code, and they chose to keep the code behavior and change docs. So instead, a plain example.com matches itself and subdomains (unless overridden by an explicit .example.com setting), whereas .example.com only matches subdomains but not itself.

(I don't know how Heimdal Kerberos handles it; couldn't figure out the code.)

[CBenoit]

Thank you for reporting this. I think we should aim to be as close as possible.
FYI @TheBestTvarynka