OpenAFS Master Repository branch, master, updated. openafs-devel-1_5_76-4455-ga55d61b

Gerrit Code Review
Wed, 5 Nov 2014 10:41:28 -0500

The following commit has been merged in the master branch:
commit a55d61b1f5206d4e8dffca0088e31c54836110f9
Author: Jeffrey Altman <>
Date:   Wed Oct 15 12:19:44 2014 -0400

    klog: make krb5_524 non-fatal for native K5 tokens
    The krb5_524_conv_principal() function should fail whenever the Kerberos
    v5 principal cannot safely be mapped onto a Kerberos v4 principal, and
    does fail on some Kerberos v5 principals used in real-world AFS
    Prior to this patchset a failure was treated as a fatal error that
    in turn prevents an AFS token from being generated or set into the
    cache manager.
    Prior to b1f9b4cb5dd295162ae51704310e9d6058008f0a the
    krb5_524_conv_principal() function wasn't used and a local client
    mapping was created.  b1f9b4cb5dd295162ae51704310e9d6058008f0a
    replaced the local mapping with the krb5 function because the local
    mapping could be wrong and confusing.
    The krb5_524_conv_principal() function as applied to AFS tokens is
    just a local guess.  How the username in the token is interpreted by
    the AFS server is up to the server.
    krb5_524_conv_principal() is only used for Krb5 native tokens. For Krb4
    tokens the krb5_524_convert_creds() function is used to obtain both the
    Kerberos v4 ticket and the converted names from the KDC. Many
    organizations used the krb524d service to perform name translation. When
    the krb524d service is used, the name translation is performed by the KDC,
    so there is no local call to krb5_524_conf_principal() which might fail.
    As a result, disallowing the use of a native Krb5 token due to a failed
    local name translation is a needless loss of functionality; the local name
    translation is not an essential part of obtaining a token.
    This patchset modifies the behavior such that krb5_524_conv_principal()
    errors are non-fatal.
     1. If -noprdb is not specified the error message is generated
        and a NULL username is used.
     2. If the username is NULL the prdb lookup is disabled.
     3. If the username is NULL the informational messages do not
        include a username.
     4. If the username is NULL the username info provided to the
        cache manager in the token description is the nul string.
    Credit to Ben Kaduk for assistance with the wording of this
    commit message.
    Change-Id: Ib07131fc0ff4bf5319815213198c3f0adac17b10
    Tested-by: BuildBot <>
    Reviewed-by: Benjamin Kaduk <>
    Reviewed-by: D Brashear <>

 doc/man-pages/pod1/aklog.pod |   17 +++++++++++++--
 src/aklog/aklog.c            |   45 +++++++++++++++++++++++++++--------------
 2 files changed, 43 insertions(+), 19 deletions(-)

OpenAFS Master Repository