OpenAFS Master Repository branch, openafs-stable-1_6_x, updated. openafs-stable-1_6_10-2-g198a4c9

Gerrit Code Review
Thu, 6 Nov 2014 05:06:43 -0500

The following commit has been merged in the openafs-stable-1_6_x branch:
commit 198a4c970ee3cce9dcf3c49fd178d3e1fc3c6c9b
Author: Jeffrey Altman <>
Date:   Mon Oct 13 17:48:05 2014 -0400

    aklog 1.6: make krb5_524 non-fatal for native K5 tokens
    The krb5_524_conv_principal() function should fail whenever the Kerberos
    v5 principal cannot safely be mapped onto a Kerberos v4 principal, and
    does fail on some Kerberos v5 principals used in real-world AFS
    Prior to this patchset a failure was treated as a fatal error that
    in turn prevents an AFS token from being generated or set into the
    cache manager.
    Prior to b1f9b4cb5dd295162ae51704310e9d6058008f0a the
    krb5_524_conv_principal() function wasn't used and a local client
    mapping was created.  b1f9b4cb5dd295162ae51704310e9d6058008f0a
    replaced the local mapping with the krb5 function because the local
    mapping could be wrong and confusing.
    The krb5_524_conv_principal() function as applied to AFS tokens is
    just a local guess.  How the username in the token is interpreted by
    the AFS server is up to the server.
    krb5_524_conv_principal() is only used for Krb5 native tokens. For Krb4
    tokens the krb5_524_convert_creds() function is used to obtain both the
    Kerberos v4 ticket and the converted names from the KDC.  Many
    organizations used the krb524d service to perform name translation.  When
    the krb524d service is used, the name translation is performed by the KDC,
    so there is no local call to krb5_524_conv_principal() which might fail.
    As a result, disallowing the use of a native Krb5 token due to a failed
    local name translation is a needless loss of functionality; the local name
    translation is not an essential part of obtaining a token.
    This patchset modifies the behavior such that krb5_524_conv_principal()
    errors are non-fatal.
     1. If -noprdb is not specified the error message is generated
        and a NULL username is used.
     2. If the username is NULL the prdb lookup is disabled.
     3. If the username is NULL the informational messages do not
        include a username.
     4. If the username is NULL the username info provided to the
        cache manager in the token description is the nul string.
    This patchset is an openafs-stable-1_6_x specific version of
    the patch.  The master version was submitted to
    Credit to Ben Kaduk for assistance with the wording of this commit
    Change-Id: If12ae69394321fa7b7a182c9db95716bc66e489c
    Reviewed-by: Benjamin Kaduk <>
    Tested-by: BuildBot <>
    Reviewed-by: Jeffrey Altman <>
    Reviewed-by: Stephan Wiesand <>

 doc/man-pages/pod1/aklog.pod |   17 ++++++++++++--
 src/aklog/aklog.c            |   49 ++++++++++++++++++++++++++---------------
 2 files changed, 45 insertions(+), 21 deletions(-)

OpenAFS Master Repository