From 50e1e59a92f38e0751384b401016ea01fe01ed8f Mon Sep 17 00:00:00 2001
From: Simon Wilkinson <sxw@inf.ed.ac.uk>
Date: Wed, 29 Oct 2008 19:43:42 +0000
Subject: [PATCH 1/1] aklog-attempt-order-comments-20081029

LICENSE IPL10

to clarify what gets tried when and why.
---
 src/aklog/aklog_main.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/src/aklog/aklog_main.c b/src/aklog/aklog_main.c
index 9bd0403..f16c730 100644
--- a/src/aklog/aklog_main.c
+++ b/src/aklog/aklog_main.c
@@ -453,7 +453,27 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
 	retry = 1;
 	
 	while(retry) {
-	    
+
+	    /* This code tries principals in the following, much debated,
+	     * order:
+	     * 
+	     * If the realm is specified on the command line we do
+	     *    - afs/cell@COMMAND-LINE-REALM
+	     *    - afs@COMMAND-LINE-REALM
+	     * 
+	     * Otherwise, we do
+	     *    - afs/cell@REALM-FROM-USERS-PRINCIPAL
+	     *    - afs/cell@krb5_get_host_realm(db-server)
+	     *   Then, if krb5_get_host_realm(db-server) is non-empty
+	     *      - afs@ krb5_get_host_realm(db-server)
+	     *   Otherwise
+	     *      - afs/cell@ upper-case-domain-of-db-server
+	     *      - afs@ upper-case-domain-of-db-server
+	     * 
+	     * In all cases, the 'afs@' variant is only tried where the
+	     * cell and the realm match case-insensitively.
+	     */
+		
 	    /* Cell on command line - use that one */
 	    if (realm && realm[0]) {
 		realm_of_cell = realm;
-- 
1.9.4