From fbdd3b822d5332d8ba009d447a3f045e06521240 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Thu, 17 Jul 2008 20:42:42 +0000
Subject: [PATCH] Try afs/cell@REALM before afs@REALM since that is what
 OpenAFS folks have been saying is best pratices for some time now.

Patch from Derrick Brashear.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23373 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/kafs/common.c | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/lib/kafs/common.c b/lib/kafs/common.c
index 855bed536..533d160a7 100644
--- a/lib/kafs/common.c
+++ b/lib/kafs/common.c
@@ -437,17 +437,6 @@ _kafs_get_cred(struct kafs_data *data,
 
     _kafs_foldup(CELL, cell);
 
-    /*
-     * If cell == realm we don't need no cross-cell authentication.
-     * Try afs@REALM.
-     */
-    if (strcmp(CELL, realm) == 0) {
-        ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
-				 "", realm, uid, kt);
-	if (ret == 0) return 0;
-	/* Try afs.cell@REALM below. */
-    }
-
     /*
      * If the AFS servers have a file /usr/afs/etc/krb.conf containing
      * REALM we still don't have to resort to cross-cell authentication.
@@ -457,6 +446,16 @@ _kafs_get_cred(struct kafs_data *data,
 			     cell, realm, uid, kt);
     if (ret == 0) return 0;
 
+    /*
+     * If cell == realm we don't need no cross-cell authentication.
+     * Try afs@REALM.
+     */
+    if (strcmp(CELL, realm) == 0) {
+        ret = _kafs_try_get_cred(data, AUTH_SUPERUSER,
+				 "", realm, uid, kt);
+	if (ret == 0) return 0;
+    }
+
     /*
      * We failed to get ``first class tickets'' for afs,
      * fall back to cross-cell authentication.