From 9a1c76efe744417ea9b876c7fcc668dda53c7db1 Mon Sep 17 00:00:00 2001
From: "gcp-cherry-pick-bot[bot]"
 <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com>
Date: Mon, 6 Jan 2025 15:22:15 +0100
Subject: [PATCH] sources/kerberos: authenticate with the user's username
 instead of the first username in authentik (cherry-pick #12497) (#12579)

sources/kerberos: authenticate with the user's username instead of the first username in authentik (#12497)

Co-authored-by: natural-hair <github@natural-hair.net>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
---
 authentik/sources/kerberos/auth.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/authentik/sources/kerberos/auth.py b/authentik/sources/kerberos/auth.py
index e1f51fb7d3..7588af2ac8 100644
--- a/authentik/sources/kerberos/auth.py
+++ b/authentik/sources/kerberos/auth.py
@@ -38,7 +38,9 @@ class KerberosBackend(InbuiltBackend):
         self, username: str, realm: str | None, password: str, **filters
     ) -> tuple[User | None, KerberosSource | None]:
         sources = KerberosSource.objects.filter(enabled=True)
-        user = User.objects.filter(usersourceconnection__source__in=sources, **filters).first()
+        user = User.objects.filter(
+            usersourceconnection__source__in=sources, username=username, **filters
+        ).first()
 
         if user is not None:
             # User found, let's get its connections for the sources that are available
@@ -77,7 +79,7 @@ class KerberosBackend(InbuiltBackend):
                         password, sender=user_source_connection.source
                     )
                     user_source_connection.user.save()
-                return user, user_source_connection.source
+                return user_source_connection.user, user_source_connection.source
             # Password doesn't match, onto next source
             LOGGER.debug(
                 "failed to kinit, password invalid",