Removed "weak" option and implemented use-referrals/no-referrals

lib/krb5/get_cred.c

@@ -1444,6 +1444,12 @@ next_rule:
     if(options & KRB5_GC_CACHED)
 	goto next_rule;
 
+    if(rule_opts & KRB5_NCRO_USE_REFERRALS)
+	flags.b.canonicalize = 1;
+    else if(rule_opts & KRB5_NCRO_NO_REFERRALS)
+	flags.b.canonicalize = 0;
+    else
+	flags.b.canonicalize = (options & KRB5_GC_CANONICALIZE) ? 1 : 0;
     if(options & KRB5_GC_USER_USER) {
 	flags.b.enc_tkt_in_skey = 1;
 	options |= KRB5_GC_NO_STORE;
@@ -1456,8 +1462,6 @@ next_rule:
 	flags.b.request_anonymous = 1; /* XXX ARGH confusion */
 	flags.b.constrained_delegation = 1;
     }
-    if (options & KRB5_GC_CANONICALIZE)
-	flags.b.canonicalize = 1;
 
     tgts = NULL;
     ret = _krb5_get_cred_kdc_any(context, flags, ccache,

lib/krb5/krb5.h

@@ -889,7 +889,8 @@ typedef struct {
 
 typedef enum krb5_name_canon_rule_options {
 	KRB5_NCRO_GC_ONLY = 1 << 0,
-	KRB5_NCRO_NO_REFERRALS = 1 << 1,
+	KRB5_NCRO_USE_REFERRALS = 1 << 1,
+	KRB5_NCRO_NO_REFERRALS = 1 << 2,
 	KRB5_NCRO_SECURE = 1 << 2
 } krb5_name_canon_rule_options;
 

lib/krb5/principal.c

@@ -1300,13 +1300,13 @@ rule_parse_token(krb5_context context, krb5_name_canon_rule rule,
     /* Rule options: */
     } else if (strcmp(tok, "secure") == 0) {
 	rule->options |= KRB5_NCRO_SECURE;
-    } else if (strcmp(tok, "weak") == 0) {
-	rule->options &= ~KRB5_NCRO_SECURE;
     } else if (strcmp(tok, "ccache_only") == 0) {
 	rule->options |= KRB5_NCRO_GC_ONLY;
     } else if (strcmp(tok, "no_referrals") == 0) {
 	rule->options |= KRB5_NCRO_NO_REFERRALS;
+	rule->options &= ~KRB5_NCRO_USE_REFERRALS;
     } else if (strcmp(tok, "use_referrals") == 0) {
+	rule->options |= KRB5_NCRO_USE_REFERRALS;
 	rule->options &= ~KRB5_NCRO_NO_REFERRALS;
     /* Rule ancilliary data: */
     } else if (strncmp(tok, "domain=", strlen("domain=")) == 0) {