OpenAFS CVS Commit: openafs/src/WINNT/aklog by jaltman
cvs@GRAND.CENTRAL.ORG
cvs@GRAND.CENTRAL.ORG
Sat, 29 Mar 2008 23:31:00 EDT
Update of /cvs/openafs/src/WINNT/aklog
In directory GRAND.CENTRAL.ORG:/home/jaltman/openafs/cvs-head/src/WINNT/aklog
Modified Files:
aklog.c
Log Message:
DELTA windows-use-client-realm-for-tokens-20080329
AUTHOR jaltman@secure-endpoints.com
LICENSE MIT
Two recent changes to the AFS/Kerberos landscape have been causing
problems for aklog and related modules. First, the support for multiple
local realms for the cell has broken the pts auto-registration code
when the realm used for the token acquisition does not match the
realm belonging to the selected vldb server. Second, Kerberos referrals
prevents detection of the realm of the vldb server.
This commit adds a new method of searching for the afs service principal.
The first attempt is for afs/<cell>@<CLIENT-REALM>. If found, the
<CLIENT-REALM> is used as the realm of the cell.
The patch adds error handling for KRB5_ERR_HOST_REALM_UNKNOWN which is
returned when krb5_get_host_realm() can't determine the realm.
Duplicate queries are also avoided and copy_realm_of_ticket() is
properly employed.
--- DELTA config follows ---
windows-use-client-realm-for-tokens-20080329 openafs/src/WINNT/aklog/aklog.c 1.24 1.25