From: Simon Wilkinson Date: Wed, 29 Oct 2008 19:43:42 +0000 (+0000) Subject: aklog-attempt-order-comments-20081029 X-Git-Tag: openafs-devel-1_5_61~718 X-Git-Url: https://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=50e1e59a92f38e0751384b401016ea01fe01ed8f;hp=ef70f73141bf9940ec10d42c2d6ab5b6b341cdc9 aklog-attempt-order-comments-20081029 LICENSE IPL10 to clarify what gets tried when and why. --- diff --git a/src/aklog/aklog_main.c b/src/aklog/aklog_main.c index 9bd0403..f16c730 100644 --- a/src/aklog/aklog_main.c +++ b/src/aklog/aklog_main.c @@ -453,7 +453,27 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm) retry = 1; while(retry) { - + + /* This code tries principals in the following, much debated, + * order: + * + * If the realm is specified on the command line we do + * - afs/cell@COMMAND-LINE-REALM + * - afs@COMMAND-LINE-REALM + * + * Otherwise, we do + * - afs/cell@REALM-FROM-USERS-PRINCIPAL + * - afs/cell@krb5_get_host_realm(db-server) + * Then, if krb5_get_host_realm(db-server) is non-empty + * - afs@ krb5_get_host_realm(db-server) + * Otherwise + * - afs/cell@ upper-case-domain-of-db-server + * - afs@ upper-case-domain-of-db-server + * + * In all cases, the 'afs@' variant is only tried where the + * cell and the realm match case-insensitively. + */ + /* Cell on command line - use that one */ if (realm && realm[0]) { realm_of_cell = realm;