git://git.openafs.org / openafs.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw
aklog-524-vars-20090216
[openafs.git] / src / aklog / aklog_main.c
diff --git a/src/aklog/aklog_main.c b/src/aklog/aklog_main.c
index 84caa86..d2886af 100644 (file)
--- a/src/aklog/aklog_main.c
+++ b/src/aklog/aklog_main.c
@@ -453,7 +453,27 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
        retry = 1;
        
        while(retry) {
-           
+
+           /* This code tries principals in the following, much debated,
+            * order:
+            * 
+            * If the realm is specified on the command line we do
+            *    - afs/cell@COMMAND-LINE-REALM
+            *    - afs@COMMAND-LINE-REALM
+            * 
+            * Otherwise, we do
+            *    - afs/cell@REALM-FROM-USERS-PRINCIPAL
+            *    - afs/cell@krb5_get_host_realm(db-server)
+            *   Then, if krb5_get_host_realm(db-server) is non-empty
+            *      - afs@ krb5_get_host_realm(db-server)
+            *   Otherwise
+            *      - afs/cell@ upper-case-domain-of-db-server
+            *      - afs@ upper-case-domain-of-db-server
+            * 
+            * In all cases, the 'afs@' variant is only tried where the
+            * cell and the realm match case-insensitively.
+            */
+               
            /* Cell on command line - use that one */
            if (realm && realm[0]) {
                realm_of_cell = realm;
@@ -518,8 +538,10 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
                                    "%s.\n", progname, cell_to_use);
                            exit(AKLOG_MISC);
                        }
-                       printf("We've deduced that we need to authenticate to"
-                              " realm %s.\n", realm_of_cell);
+                       if (dflag) {
+                           printf("We've deduced that we need to authenticate"
+                                  " to realm %s.\n", realm_of_cell);
+                       }
                    }
                    status = get_credv5(context, AFSKEY, cell_to_use, 
                                        realm_of_cell, &v5cred);
@@ -605,24 +627,22 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
 
        if (! do524) {
            char *p;
+           char k4name[ANAME_SZ], k4inst[INST_SZ], k4realm[REALM_SZ];
            int len;
 
            if (dflag)
                printf("Using Kerberos V5 ticket natively\n");
 
-           len = min(get_princ_len(context, v5cred->client, 0),
-                     second_comp(context, v5cred->client) ?
-                                       MAXKTCNAMELEN - 2 : MAXKTCNAMELEN - 1);
-           strncpy(username, get_princ_str(context, v5cred->client, 0), len);
-           username[len] = '\0';
-
-           if (second_comp(context, v5cred->client)) {
-               strcat(username, ".");
-               p = username + strlen(username);
-               len = min(get_princ_len(context, v5cred->client, 1),
-                         MAXKTCNAMELEN - strlen(username) - 1);
-               strncpy(p, get_princ_str(context, v5cred->client, 1), len);
-               p[len] = '\0';
+           status = krb5_524_conv_principal (context, v5cred->client, &k4name, &k4inst, &k4realm);
+           if (status) {
+               afs_com_err(progname, status, "while converting principal "
+                       "to Kerberos V4 format");
+               return(AKLOG_KERBEROS);
+           }
+           strcpy (username, k4name);
+           if (k4inst[0]) {
+               strcat (username, ".");
+               strcat (username, k4inst);
            }
 
            memset(&atoken, 0, sizeof(atoken));
OpenAFS Master Repository