From e1be4482acea2972f916f7b5ce40fd85e5e82dc7 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@cryptonector.com>
Date: Thu, 20 Oct 2011 13:16:34 -0500
Subject: [PATCH] Improve kgetcred support for name canon rules and document

---
 kuser/kgetcred.1 | 15 +++++++++++++++
 kuser/kgetcred.c | 40 ++++------------------------------------
 2 files changed, 19 insertions(+), 36 deletions(-)

diff --git a/kuser/kgetcred.1 b/kuser/kgetcred.1
index 5c1b212e2..13fdd69eb 100644
--- a/kuser/kgetcred.1
+++ b/kuser/kgetcred.1
@@ -48,10 +48,16 @@
 .Fl Fl enctype= Ns Ar enctype
 .Xc
 .Oc
+.Op Fl name-type= Ns Ar name-type
 .Op Fl Fl no-transit-check
 .Op Fl Fl version
 .Op Fl Fl help
 .Ar service
+.Nm
+.Op options
+.Fl name-type= Ns Ar SRV_HST
+.Ar service
+.Ar hostname
 .Sh DESCRIPTION
 .Nm
 obtains a ticket for a service.
@@ -59,16 +65,25 @@ Usually tickets for services are obtained automatically when needed
 but sometimes for some odd reason you want to obtain a particular
 ticket or of a special type.
 .Pp
+The second form applies hostname canonicalization using local name
+canonicalization rules just as applications normally would, possibly
+enabling canonicalization via referrals.
+.Pp
 Supported options:
 .Bl -tag -width Ds
 .It Fl Fl canonicalize
 requests that the KDC canonicalize the principal.
+.It Fl Fl name-type= Ns Ar name-type
+the name-type to use when parsing the principal name.
 .It Fl c Ar cache , Fl Fl cache= Ns Ar cache
 the credential cache to use.
+.It Fl Fl delegation-credential-cache= Ns Ar cache
+the credential cache to use for delegation.
 .It Fl e Ar enctype , Fl Fl enctype= Ns Ar enctype
 encryption type to use.
 .It Fl Fl no-transit-check
 requests that the KDC doesn't do transit checking.
+.It Fl Fl forwardable
 .It Fl Fl version
 .It Fl Fl help
 .El
diff --git a/kuser/kgetcred.c b/kuser/kgetcred.c
index f9c913fcd..9670b5796 100644
--- a/kuser/kgetcred.c
+++ b/kuser/kgetcred.c
@@ -61,7 +61,7 @@ struct getargs args[] = {
       NP_("encryption type to use", ""), "enctype"},
     { "impersonate",	0,   arg_string, &impersonate_str,
       NP_("client to impersonate", ""), "principal"},
-    { "name-type",		0,   arg_string, &nametype_str, NULL, NULL },
+    { "name-type",	0,   arg_string, &nametype_str, NULL, NULL },
     { "version", 	0,   arg_flag, &version_flag, NULL, NULL },
     { "help",		0,   arg_flag, &help_flag, NULL, NULL }
 };
@@ -189,7 +189,6 @@ main(int argc, char **argv)
 
     if (nametype_str) {
 	int32_t nametype;
-	int do_sn2p = 1;
 	char *sname = NULL;
 	char *hname = NULL;
 
@@ -197,46 +196,15 @@ main(int argc, char **argv)
 	if (ret)
 	    krb5_err(context, 1, ret, "krb5_parse_nametype");
 
-	if (nametype == KRB5_NT_SRV_HST) {
-	    if (argc == 1) {
-		char *cp;
-
-		for (cp = sname; *cp; cp++) {
-		    if (cp[0] == '\\') {
-			cp++;
-		    } else if (cp[0] == '@' && cp[1] != '\0') {
-			/* If a realm is given we assume no canon is needed */
-			do_sn2p = 0;
-			break;
-		    }
-		}
-		if (do_sn2p) {
-		    sname = argv[0];
-		    for (cp = sname; *cp; cp++) {
-			if (cp[0] == '\\') {
-			    cp++;
-			} else if (cp[0] == '/') {
-			    *cp = '\0';
-			    hname = cp + 1;
-			} else if (cp[0] == '@') {
-			    *cp = '\0';
-			    break;
-			}
-		    }
-		}
-	    } else if (argc == 2) {
-		sname = argv[0];
-		hname = argv[1];
-	    } else if (argc != 0) {
-		usage(1);
-	    }
+	if (nametype == KRB5_NT_SRV_HST && argc == 2) {
+	    sname = argv[0];
+	    hname = argv[1];
 	    ret = krb5_sname_to_principal(context, hname, sname,
 					   KRB5_NT_SRV_HST, &server);
 	    if (ret)
 		krb5_err(context, 1, ret, "krb5_sname_to_principal %s/%s",
 			 (sname && *sname) ? sname : "<default>",
 			 (hname && *hname) ? hname : "<default>");
-
 	} else {
 	    if (argc != 1)
 		usage(1);