retry = 1;
while(retry) {
-
+
+ /* This code tries principals in the following, much debated,
+ * order:
+ *
+ * If the realm is specified on the command line we do
+ * - afs/cell@COMMAND-LINE-REALM
+ * - afs@COMMAND-LINE-REALM
+ *
+ * Otherwise, we do
+ * - afs/cell@REALM-FROM-USERS-PRINCIPAL
+ * - afs/cell@krb5_get_host_realm(db-server)
+ * Then, if krb5_get_host_realm(db-server) is non-empty
+ * - afs@ krb5_get_host_realm(db-server)
+ * Otherwise
+ * - afs/cell@ upper-case-domain-of-db-server
+ * - afs@ upper-case-domain-of-db-server
+ *
+ * In all cases, the 'afs@' variant is only tried where the
+ * cell and the realm match case-insensitively.
+ */
+
/* Cell on command line - use that one */
if (realm && realm[0]) {
realm_of_cell = realm;
"%s.\n", progname, cell_to_use);
exit(AKLOG_MISC);
}
- printf("We've deduced that we need to authenticate to"
- " realm %s.\n", realm_of_cell);
+ if (dflag) {
+ printf("We've deduced that we need to authenticate"
+ " to realm %s.\n", realm_of_cell);
+ }
}
status = get_credv5(context, AFSKEY, cell_to_use,
realm_of_cell, &v5cred);
static krb5_principal client_principal = 0;
if (dflag) {
- printf("Getting tickets: %s%s%s@%s\n", name, inst[0] ? "/" : "",
- inst, realm);
+ printf("Getting tickets: %s%s%s@%s\n", name, (inst && inst[0])
+ ? "/" : "", inst ? inst : "", realm);
}
memset((char *)&increds, 0, sizeof(increds));