Change code to make a clear distinction

between hinted realm and ticket realm.
Change code to acquire the ``best
 possible ticket. Use cross-cell authentication only as method of
 last resort.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@7121 ec53bebd-3082-4978-b11e-865c3cabbd6b

lib/kafs/ChangeLog

@@ -1,3 +1,19 @@
+Fri Oct  8 18:17:22 1999  Bjoern Groenvall  <bg@mummel.sics.se>
+
+	* afskrb.c, common.c : Change code to make a clear distinction
+ 	between hinted realm and ticket realm.
+
+	* kafs_locl.h: Added argument realm_hint.
+
+	* common.c (_kafs_get_cred): Change code to acquire the ``best''
+ 	possible ticket. Use cross-cell authentication only as method of
+ 	last resort.
+
+	* afskrb.c (afslog_uid_int): Add realm_hint argument and extract
+ 	realm from ticket file.
+
+	* afskrb5.c (afslog_uid_int): Added argument realm_hint.
+
 1999-10-03  Assar Westerlund  <assar@sics.se>
 
 	* afskrb5.c (get_cred): update to new krb524_convert_creds_kdc

lib/kafs/afskrb.c

@@ -60,26 +60,31 @@ get_cred(kafs_data *data, const char *name, const char *inst,
 }
 
 static int
-afslog_uid_int(kafs_data *data, const char *cell, uid_t uid,
+afslog_uid_int(kafs_data *data,
+	       const char *cell,
+	       const char *realm_hint,
+	       uid_t uid,
 	       const char *homedir)
 {
     int ret;
     CREDENTIALS c;
-    struct krb_kafs_data *d = data->data;
+    char realm[REALM_SZ];
-    char realm[REALM_SZ], *lrealm;
     
     if (cell == 0 || cell[0] == 0)
 	return _kafs_afslog_all_local_cells (data, uid, homedir);
 
-    ret = krb_get_lrealm(realm, 1);
+    /* Extract realm from ticket file. */
-    if(ret == KSUCCESS && (d->realm == NULL || strcmp(d->realm, realm)))
+    {
-	lrealm = realm;
+        char name[ANAME_SZ], inst[INST_SZ];
-    else
-	lrealm = NULL;
 
-    ret = _kafs_get_cred(data, cell, d->realm, lrealm, &c);
+	ret = krb_get_default_principal(name, inst, realm);
+	if (ret != KSUCCESS)
+	    return ret;
+    }
+
+    ret = _kafs_get_cred(data, cell, realm_hint, realm, &c);
     
-    if(ret == 0)
+    if (ret == 0)
 	ret = kafs_settoken(cell, uid, &c);
     return ret;
 }
@@ -95,36 +100,34 @@ get_realm(kafs_data *data, const char *host)
 }
 
 int
-krb_afslog_uid_home(const char *cell, const char *realm, uid_t uid,
+krb_afslog_uid_home(const char *cell, const char *realm_hint, uid_t uid,
 		    const char *homedir)
 {
     kafs_data kd;
-    struct krb_kafs_data d;
 
     kd.afslog_uid = afslog_uid_int;
     kd.get_cred = get_cred;
     kd.get_realm = get_realm;
-    kd.data = &d;
+    kd.data = 0;
-    d.realm = realm;
+    return afslog_uid_int(&kd, cell, realm_hint, uid, homedir);
-    return afslog_uid_int(&kd, cell, uid, homedir);
 }
 
 int
-krb_afslog_uid(const char *cell, const char *realm, uid_t uid)
+krb_afslog_uid(const char *cell, const char *realm_hint, uid_t uid)
 {
-    return krb_afslog_uid_home (cell, realm, uid, NULL);
+    return krb_afslog_uid_home(cell, realm_hint, uid, NULL);
 }
 
 int
-krb_afslog(const char *cell, const char *realm)
+krb_afslog(const char *cell, const char *realm_hint)
 {
-    return krb_afslog_uid (cell, realm, getuid());
+    return krb_afslog_uid(cell, realm_hint, getuid());
 }
 
 int
-krb_afslog_home(const char *cell, const char *realm, const char *homedir)
+krb_afslog_home(const char *cell, const char *realm_hint, const char *homedir)
 {
-    return krb_afslog_uid_home (cell, realm, getuid(), homedir);
+    return krb_afslog_uid_home(cell, realm_hint, getuid(), homedir);
 }
 
 /*

lib/kafs/afskrb5.c

@@ -75,7 +75,7 @@ get_cred(kafs_data *data, const char *name, const char *inst,
 }
 
 static krb5_error_code
-afslog_uid_int(kafs_data *data, const char *cell, uid_t uid,
+afslog_uid_int(kafs_data *data, const char *cell, const char *rh, uid_t uid,
 	       const char *homedir)
 {
     krb5_error_code ret;
@@ -131,7 +131,7 @@ krb5_afslog_uid_home(krb5_context context,
     d.context = context;
     d.id = id;
     d.realm = realm;
-    return afslog_uid_int(&kd, cell, uid, homedir);
+    return afslog_uid_int(&kd, cell, 0, uid, homedir);
 }
 
 krb5_error_code

lib/kafs/common.c

@@ -218,8 +218,11 @@ afslog_cells(kafs_data *data, char **cells, int max, uid_t uid,
 {
     int ret = 0;
     int i;
-    for(i = 0; i < max; i++)
+    for (i = 0; i < max; i++) {
-	ret = (*data->afslog_uid)(data, cells[i], uid, homedir);
+        int er = (*data->afslog_uid)(data, cells[i], 0, uid, homedir);
+	if (er)
+	    ret = er;
+    }
     return ret;
 }
 
@@ -305,8 +308,8 @@ _kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm)
 int
 _kafs_get_cred(kafs_data *data,
 	      const char *cell, 
-	      const char *krealm, 
+	      const char *realm_hint,
-	      const char *lrealm,
+	      const char *realm,
 	      CREDENTIALS *c)
 {
     int ret = -1;
@@ -334,37 +337,63 @@ _kafs_get_cred(kafs_data *data,
     /* comments on the ordering of these tests */
 
     /* If the user passes a realm, she probably knows something we don't
-     * know and we should try afs@krealm (otherwise we're talking with a
+     * know and we should try afs@realm_hint (otherwise we're talking with a
      * blondino and she might as well have it.)
      */
   
-    if (krealm) {
+    if (realm_hint) {
-	ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, krealm, c);
+	ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm_hint, c);
+	if (ret == 0) return 0;
+	ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm_hint, c);
 	if (ret == 0) return 0;
-	ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", krealm, c);
     }
-    if (ret == 0) return 0;
 
     foldup(CELL, cell);
 
+    /*
+     * If cell == realm we don't need no cross-cell authentication.
+     * Try afs@REALM.
+     */
+    if (strcmp(CELL, realm) == 0) {
+        ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", realm, c);
+	if (ret == 0) return 0;
+	/* Try afs.cell@REALM below. */
+    }
+
+    /*
+     * If the AFS servers have a file /usr/afs/etc/krb.conf containing
+     * REALM we still don't have to resort to cross-cell authentication.
+     * Try afs.cell@REALM.
+     */
+    ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, realm, c);
+    if (ret == 0) return 0;
+
+    /*
+     * We failed to get ``first class tickets'' for afs,
+     * fall back to cross-cell authentication.
+     * Try afs@CELL.
+     * Try afs.cell@CELL.
+     */
+    ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", CELL, c);
+    if (ret == 0) return 0;
     ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, CELL, c);
     if (ret == 0) return 0;
 
-    ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", CELL, c);
+    /*
-    if (ret == 0) return 0;
+     * Perhaps the cell doesn't correspond to any realm?
-    
+     * Use realm of first volume location DB server.
-    /* this might work in some cases */
+     * Try afs.cell@VL_REALM.
-    if (_kafs_realm_of_cell(data, cell, &vl_realm) == 0) {
+     * Try afs@VL_REALM???
+     */
+    if (_kafs_realm_of_cell(data, cell, &vl_realm) == 0
+	&& strcmp(vl_realm, realm) != 0
+	&& strcmp(vl_realm, CELL) != 0) {
 	ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, vl_realm, c);
 	if (ret)
 	    ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", vl_realm, c);
 	free(vl_realm);
 	if (ret == 0) return 0;
     }
-    
+
-    if (lrealm)
-	ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, lrealm, c);
     return ret;
 }
-
-

lib/kafs/kafs_locl.h

@@ -106,8 +106,11 @@
 #include "afssysdefs.h"
 
 struct kafs_data;
-typedef int (*afslog_uid_func_t)(struct kafs_data*, const char*, uid_t,
+typedef int (*afslog_uid_func_t)(struct kafs_data *,
-				 const char *);
+				 const char *cell,
+				 const char *realm_hint,
+				 uid_t,
+				 const char *homedir);
 
 typedef int (*get_cred_func_t)(struct kafs_data*, const char*, const char*, 
 				    const char*, CREDENTIALS*);