diff --git a/lib/kafs/ChangeLog b/lib/kafs/ChangeLog index e5fc5726b..279d83848 100644 --- a/lib/kafs/ChangeLog +++ b/lib/kafs/ChangeLog @@ -1,3 +1,19 @@ +Fri Oct 8 18:17:22 1999 Bjoern Groenvall + + * afskrb.c, common.c : Change code to make a clear distinction + between hinted realm and ticket realm. + + * kafs_locl.h: Added argument realm_hint. + + * common.c (_kafs_get_cred): Change code to acquire the ``best'' + possible ticket. Use cross-cell authentication only as method of + last resort. + + * afskrb.c (afslog_uid_int): Add realm_hint argument and extract + realm from ticket file. + + * afskrb5.c (afslog_uid_int): Added argument realm_hint. + 1999-10-03 Assar Westerlund * afskrb5.c (get_cred): update to new krb524_convert_creds_kdc diff --git a/lib/kafs/afskrb.c b/lib/kafs/afskrb.c index 1b48f4ea8..eb0786aca 100644 --- a/lib/kafs/afskrb.c +++ b/lib/kafs/afskrb.c @@ -60,26 +60,31 @@ get_cred(kafs_data *data, const char *name, const char *inst, } static int -afslog_uid_int(kafs_data *data, const char *cell, uid_t uid, +afslog_uid_int(kafs_data *data, + const char *cell, + const char *realm_hint, + uid_t uid, const char *homedir) { int ret; CREDENTIALS c; - struct krb_kafs_data *d = data->data; - char realm[REALM_SZ], *lrealm; + char realm[REALM_SZ]; if (cell == 0 || cell[0] == 0) return _kafs_afslog_all_local_cells (data, uid, homedir); - ret = krb_get_lrealm(realm, 1); - if(ret == KSUCCESS && (d->realm == NULL || strcmp(d->realm, realm))) - lrealm = realm; - else - lrealm = NULL; + /* Extract realm from ticket file. */ + { + char name[ANAME_SZ], inst[INST_SZ]; - ret = _kafs_get_cred(data, cell, d->realm, lrealm, &c); + ret = krb_get_default_principal(name, inst, realm); + if (ret != KSUCCESS) + return ret; + } + + ret = _kafs_get_cred(data, cell, realm_hint, realm, &c); - if(ret == 0) + if (ret == 0) ret = kafs_settoken(cell, uid, &c); return ret; } @@ -95,36 +100,34 @@ get_realm(kafs_data *data, const char *host) } int -krb_afslog_uid_home(const char *cell, const char *realm, uid_t uid, +krb_afslog_uid_home(const char *cell, const char *realm_hint, uid_t uid, const char *homedir) { kafs_data kd; - struct krb_kafs_data d; kd.afslog_uid = afslog_uid_int; kd.get_cred = get_cred; kd.get_realm = get_realm; - kd.data = &d; - d.realm = realm; - return afslog_uid_int(&kd, cell, uid, homedir); + kd.data = 0; + return afslog_uid_int(&kd, cell, realm_hint, uid, homedir); } int -krb_afslog_uid(const char *cell, const char *realm, uid_t uid) +krb_afslog_uid(const char *cell, const char *realm_hint, uid_t uid) { - return krb_afslog_uid_home (cell, realm, uid, NULL); + return krb_afslog_uid_home(cell, realm_hint, uid, NULL); } int -krb_afslog(const char *cell, const char *realm) +krb_afslog(const char *cell, const char *realm_hint) { - return krb_afslog_uid (cell, realm, getuid()); + return krb_afslog_uid(cell, realm_hint, getuid()); } int -krb_afslog_home(const char *cell, const char *realm, const char *homedir) +krb_afslog_home(const char *cell, const char *realm_hint, const char *homedir) { - return krb_afslog_uid_home (cell, realm, getuid(), homedir); + return krb_afslog_uid_home(cell, realm_hint, getuid(), homedir); } /* diff --git a/lib/kafs/afskrb5.c b/lib/kafs/afskrb5.c index 174721260..bac0f1b83 100644 --- a/lib/kafs/afskrb5.c +++ b/lib/kafs/afskrb5.c @@ -75,7 +75,7 @@ get_cred(kafs_data *data, const char *name, const char *inst, } static krb5_error_code -afslog_uid_int(kafs_data *data, const char *cell, uid_t uid, +afslog_uid_int(kafs_data *data, const char *cell, const char *rh, uid_t uid, const char *homedir) { krb5_error_code ret; @@ -131,7 +131,7 @@ krb5_afslog_uid_home(krb5_context context, d.context = context; d.id = id; d.realm = realm; - return afslog_uid_int(&kd, cell, uid, homedir); + return afslog_uid_int(&kd, cell, 0, uid, homedir); } krb5_error_code diff --git a/lib/kafs/common.c b/lib/kafs/common.c index 38316d6b6..2f8b0e965 100644 --- a/lib/kafs/common.c +++ b/lib/kafs/common.c @@ -218,8 +218,11 @@ afslog_cells(kafs_data *data, char **cells, int max, uid_t uid, { int ret = 0; int i; - for(i = 0; i < max; i++) - ret = (*data->afslog_uid)(data, cells[i], uid, homedir); + for (i = 0; i < max; i++) { + int er = (*data->afslog_uid)(data, cells[i], 0, uid, homedir); + if (er) + ret = er; + } return ret; } @@ -305,8 +308,8 @@ _kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm) int _kafs_get_cred(kafs_data *data, const char *cell, - const char *krealm, - const char *lrealm, + const char *realm_hint, + const char *realm, CREDENTIALS *c) { int ret = -1; @@ -334,37 +337,63 @@ _kafs_get_cred(kafs_data *data, /* comments on the ordering of these tests */ /* If the user passes a realm, she probably knows something we don't - * know and we should try afs@krealm (otherwise we're talking with a + * know and we should try afs@realm_hint (otherwise we're talking with a * blondino and she might as well have it.) */ - if (krealm) { - ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, krealm, c); + if (realm_hint) { + ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm_hint, c); + if (ret == 0) return 0; + ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm_hint, c); if (ret == 0) return 0; - ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", krealm, c); } - if (ret == 0) return 0; foldup(CELL, cell); + /* + * If cell == realm we don't need no cross-cell authentication. + * Try afs@REALM. + */ + if (strcmp(CELL, realm) == 0) { + ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm, c); + if (ret == 0) return 0; + /* Try afs.cell@REALM below. */ + } + + /* + * If the AFS servers have a file /usr/afs/etc/krb.conf containing + * REALM we still don't have to resort to cross-cell authentication. + * Try afs.cell@REALM. + */ + ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm, c); + if (ret == 0) return 0; + + /* + * We failed to get ``first class tickets'' for afs, + * fall back to cross-cell authentication. + * Try afs@CELL. + * Try afs.cell@CELL. + */ + ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", CELL, c); + if (ret == 0) return 0; ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, CELL, c); if (ret == 0) return 0; - ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", CELL, c); - if (ret == 0) return 0; - - /* this might work in some cases */ - if (_kafs_realm_of_cell(data, cell, &vl_realm) == 0) { + /* + * Perhaps the cell doesn't correspond to any realm? + * Use realm of first volume location DB server. + * Try afs.cell@VL_REALM. + * Try afs@VL_REALM??? + */ + if (_kafs_realm_of_cell(data, cell, &vl_realm) == 0 + && strcmp(vl_realm, realm) != 0 + && strcmp(vl_realm, CELL) != 0) { ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, vl_realm, c); if (ret) ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", vl_realm, c); free(vl_realm); if (ret == 0) return 0; } - - if (lrealm) - ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, lrealm, c); + return ret; } - - diff --git a/lib/kafs/kafs_locl.h b/lib/kafs/kafs_locl.h index b4642b6d5..fd6a4e18b 100644 --- a/lib/kafs/kafs_locl.h +++ b/lib/kafs/kafs_locl.h @@ -106,8 +106,11 @@ #include "afssysdefs.h" struct kafs_data; -typedef int (*afslog_uid_func_t)(struct kafs_data*, const char*, uid_t, - const char *); +typedef int (*afslog_uid_func_t)(struct kafs_data *, + const char *cell, + const char *realm_hint, + uid_t, + const char *homedir); typedef int (*get_cred_func_t)(struct kafs_data*, const char*, const char*, const char*, CREDENTIALS*);