oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Change code to make a clear distinction

Browse Source 
between hinted realm and ticket realm.
Change code to acquire the ``best
 possible ticket. Use cross-cell authentication only as method of
 last resort.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@7121 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Björn Groenvall
1999-10-08 16:32:14 +00:00
parent 9aeb7874f3
commit 8daeee5f57
5 changed files with 95 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
lib/kafs/common.c
View File

@@ -218,8 +218,11 @@ afslog_cells(kafs_data *data, char **cells, int max, uid_t uid,
{
int ret = 0;
int i;
for(i = 0; i < max; i++)
ret = (*data->afslog_uid)(data, cells[i], uid, homedir);
for (i = 0; i < max; i++) {
int er = (*data->afslog_uid)(data, cells[i], 0, uid, homedir);
if (er)
ret = er;
}
return ret;
}
@@ -305,8 +308,8 @@ _kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm)
int
_kafs_get_cred(kafs_data *data,
const char *cell,
const char *krealm,
const char *lrealm,
const char *realm_hint,
const char *realm,
CREDENTIALS *c)
{
int ret = -1;
@@ -334,37 +337,63 @@ _kafs_get_cred(kafs_data *data,
/* comments on the ordering of these tests */
/* If the user passes a realm, she probably knows something we don't
* know and we should try afs@krealm (otherwise we're talking with a
* know and we should try afs@realm_hint (otherwise we're talking with a
* blondino and she might as well have it.)
*/
if (krealm) {
ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, krealm, c);
if (realm_hint) {
ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm_hint, c);
if (ret == 0) return 0;
ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm_hint, c);
if (ret == 0) return 0;
ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", krealm, c);
}
if (ret == 0) return 0;
foldup(CELL, cell);
/*
* If cell == realm we don't need no cross-cell authentication.
* Try afs@REALM.
*/
if (strcmp(CELL, realm) == 0) {
ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm, c);
if (ret == 0) return 0;
/* Try afs.cell@REALM below. */
}
/*
* If the AFS servers have a file /usr/afs/etc/krb.conf containing
* REALM we still don't have to resort to cross-cell authentication.
* Try afs.cell@REALM.
*/
ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm, c);
if (ret == 0) return 0;
/*
* We failed to get ``first class tickets'' for afs,
* fall back to cross-cell authentication.
* Try afs@CELL.
* Try afs.cell@CELL.
*/
ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", CELL, c);
if (ret == 0) return 0;
ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, CELL, c);
if (ret == 0) return 0;
ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", CELL, c);
if (ret == 0) return 0;
/* this might work in some cases */
if (_kafs_realm_of_cell(data, cell, &vl_realm) == 0) {
/*
* Perhaps the cell doesn't correspond to any realm?
* Use realm of first volume location DB server.
* Try afs.cell@VL_REALM.
* Try afs@VL_REALM???
*/
if (_kafs_realm_of_cell(data, cell, &vl_realm) == 0
&& strcmp(vl_realm, realm) != 0
&& strcmp(vl_realm, CELL) != 0) {
ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, vl_realm, c);
if (ret)
ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", vl_realm, c);
free(vl_realm);
if (ret == 0) return 0;
}
if (lrealm)
ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, lrealm, c);
return ret;
}