sources/kerberos: authenticate with the user's username instead of the first username in authentik (#12497)

natural-hair · rissson · web-flow · commit bfb81658c95d · 2025-01-06T13:11:34.000Z
Co-authored-by: Marc 'risson' Schmitt &lt;marc.schmitt@risson.space&gt;
diff --git a/authentik/sources/kerberos/auth.py b/authentik/sources/kerberos/auth.py
@@ -38,7 +38,9 @@ def auth_user(
         self, username: str, realm: str | None, password: str, **filters
     ) -> tuple[User | None, KerberosSource | None]:
         sources = KerberosSource.objects.filter(enabled=True)
-        user = User.objects.filter(usersourceconnection__source__in=sources, **filters).first()
+        user = User.objects.filter(
+            usersourceconnection__source__in=sources, username=username, **filters
+        ).first()
 
         if user is not None:
             # User found, let's get its connections for the sources that are available
@@ -77,7 +79,7 @@ def auth_user(
                         password, sender=user_source_connection.source
                     )
                     user_source_connection.user.save()
-                return user, user_source_connection.source
+                return user_source_connection.user, user_source_connection.source
             # Password doesn't match, onto next source
             LOGGER.debug(
                 "failed to kinit, password invalid",
