retry = 1;
while(retry) {
-
+
+ /* This code tries principals in the following, much debated,
+ * order:
+ *
+ * If the realm is specified on the command line we do
+ * - afs/cell@COMMAND-LINE-REALM
+ * - afs@COMMAND-LINE-REALM
+ *
+ * Otherwise, we do
+ * - afs/cell@REALM-FROM-USERS-PRINCIPAL
+ * - afs/cell@krb5_get_host_realm(db-server)
+ * Then, if krb5_get_host_realm(db-server) is non-empty
+ * - afs@ krb5_get_host_realm(db-server)
+ * Otherwise
+ * - afs/cell@ upper-case-domain-of-db-server
+ * - afs@ upper-case-domain-of-db-server
+ *
+ * In all cases, the 'afs@' variant is only tried where the
+ * cell and the realm match case-insensitively.
+ */
+
/* Cell on command line - use that one */
if (realm && realm[0]) {
realm_of_cell = realm;
if (dflag)
printf("Using Kerberos V5 ticket natively\n");
- len = min(get_princ_len(context, v5cred->client, 0),
- second_comp(context, v5cred->client) ?
- MAXKTCNAMELEN - 2 : MAXKTCNAMELEN - 1);
- strncpy(username, get_princ_str(context, v5cred->client, 0), len);
- username[len] = '\0';
-
- if (second_comp(context, v5cred->client)) {
- strcat(username, ".");
- p = username + strlen(username);
- len = min(get_princ_len(context, v5cred->client, 1),
- MAXKTCNAMELEN - strlen(username) - 1);
- strncpy(p, get_princ_str(context, v5cred->client, 1), len);
- p[len] = '\0';
+ status = krb5_524_conv_principal (context, v5cred->client, &k4name, &k4inst, &k4realm);
+ if (status) {
+ afs_com_err(progname, status, "while converting principal "
+ "to Kerberos V4 format");
+ return(AKLOG_KERBEROS);
+ }
+ strcpy (username, k4name);
+ if (k4inst[0]) {
+ strcat (username, ".");
+ strcat (username, k4inst);
}
memset(&atoken, 0, sizeof(atoken));