From 2d85294edef13764bcc297de6f6c24d70c9779d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Sun, 14 Sep 2008 15:27:42 +0000
Subject: [PATCH] Default to use the username as passed in by the user.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23843 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/gssapi/krb5/init_sec_context.c | 64 +++++++++++++++++-------------
 1 file changed, 37 insertions(+), 27 deletions(-)

diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c
index 64a339064..dfa0e935e 100644
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -173,7 +173,8 @@ gsskrb5_get_creds(
 	krb5_context context,
 	krb5_ccache ccache,
 	gsskrb5_ctx ctx,
-	krb5_const_principal target_name,
+	const gss_name_t target_name,
+	int use_dns,
 	OM_uint32 time_req,
 	OM_uint32 * time_rec,
 	krb5_creds ** cred)
@@ -185,6 +186,16 @@ gsskrb5_get_creds(
 
     *cred = NULL;
 
+    if (ctx->target) {
+	krb5_free_principal(context, ctx->target);
+	ctx->target = NULL;
+    }
+
+    ret = _gsskrb5_canon_name(minor_status, context, use_dns,
+			      target_name, &ctx->target);
+    if (ret)
+	return ret;
+
     memset(&this_cred, 0, sizeof(this_cred));
     this_cred.client = ctx->source;
     this_cred.server = ctx->target;
@@ -351,7 +362,7 @@ init_auth
     krb5_data outbuf;
     krb5_data fwd_data;
     OM_uint32 lifetime_rec;
-    int use_dns = 1;
+    int allow_dns = 1;
 
     krb5_data_zero(&outbuf);
     krb5_data_zero(&fwd_data);
@@ -379,21 +390,6 @@ init_auth
 	goto failure;
     }
 
-    /* canon name if needed for client + target realm */
-    kret = krb5_cc_get_config(context, ctx->ccache, NULL,
-			      "realm-config", &outbuf);
-    if (kret == 0) {
-	/* XXX 2 is no server canon */
-	if (outbuf.length < 1 || ((((unsigned char *)outbuf.data)[0]) & 2))
-	    use_dns = 0;
-	krb5_data_free(&outbuf);
-    }
-
-    ret = _gsskrb5_canon_name(minor_status, context, use_dns,
-			      name, &ctx->target);
-    if (ret)
-	goto failure;
-
     ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
     if (ret)
 	goto failure;
@@ -413,14 +409,29 @@ init_auth
 	krb5_set_default_in_tkt_etypes(context, enctypes);
     }
 
-    ret = gsskrb5_get_creds(minor_status,
-			    context,
-			    ctx->ccache,
-			    ctx,
-			    ctx->target,
-			    time_req,
-			    time_rec,
-			    &ctx->kcred);
+    /* canon name if needed for client + target realm */
+    kret = krb5_cc_get_config(context, ctx->ccache, NULL,
+			      "realm-config", &outbuf);
+    if (kret == 0) {
+	/* XXX 2 is no server canon */
+	if (outbuf.length < 1 || ((((unsigned char *)outbuf.data)[0]) & 2))
+	    allow_dns = 0;
+	krb5_data_free(&outbuf);
+    }
+
+    /*
+     * First we try w/o dns, hope that the KDC have register alias
+     * (and referrals if cross realm) for this principal. If that
+     * fails and if we are allowed to using this realm try again with
+     * DNS canonicalizion.
+     */
+    ret = gsskrb5_get_creds(minor_status, context, ctx->ccache,
+			    ctx, name, 0, time_req, 
+			    time_rec, &ctx->kcred);
+    if (ret && allow_dns)
+	ret = gsskrb5_get_creds(minor_status, context, ctx->ccache,
+				ctx, name, 1, time_req, 
+				time_rec, &ctx->kcred);
     if (ret)
 	goto failure;
 
@@ -430,9 +441,8 @@ init_auth
 				 context,
 				 ctx->lifetime,
 				 &lifetime_rec);
-    if (ret) {
+    if (ret)
 	goto failure;
-    }
 
     if (lifetime_rec == 0) {
 	*minor_status = 0;