OpenAFS Master Repository branch, openafs-stable-1_6_x, updated. openafs-stable-1_6_10-2-g198a4c9
Gerrit Code Review
Thu, 6 Nov 2014 05:06:43 -0500
The following commit has been merged in the openafs-stable-1_6_x branch:
Author: Jeffrey Altman <firstname.lastname@example.org>
Date: Mon Oct 13 17:48:05 2014 -0400
aklog 1.6: make krb5_524 non-fatal for native K5 tokens
The krb5_524_conv_principal() function should fail whenever the Kerberos
v5 principal cannot safely be mapped onto a Kerberos v4 principal, and
does fail on some Kerberos v5 principals used in real-world AFS
Prior to this patchset a failure was treated as a fatal error that
in turn prevents an AFS token from being generated or set into the
Prior to b1f9b4cb5dd295162ae51704310e9d6058008f0a the
krb5_524_conv_principal() function wasn't used and a local client
mapping was created. b1f9b4cb5dd295162ae51704310e9d6058008f0a
replaced the local mapping with the krb5 function because the local
mapping could be wrong and confusing.
The krb5_524_conv_principal() function as applied to AFS tokens is
just a local guess. How the username in the token is interpreted by
the AFS server is up to the server.
krb5_524_conv_principal() is only used for Krb5 native tokens. For Krb4
tokens the krb5_524_convert_creds() function is used to obtain both the
Kerberos v4 ticket and the converted names from the KDC. Many
organizations used the krb524d service to perform name translation. When
the krb524d service is used, the name translation is performed by the KDC,
so there is no local call to krb5_524_conv_principal() which might fail.
As a result, disallowing the use of a native Krb5 token due to a failed
local name translation is a needless loss of functionality; the local name
translation is not an essential part of obtaining a token.
This patchset modifies the behavior such that krb5_524_conv_principal()
errors are non-fatal.
1. If -noprdb is not specified the error message is generated
and a NULL username is used.
2. If the username is NULL the prdb lookup is disabled.
3. If the username is NULL the informational messages do not
include a username.
4. If the username is NULL the username info provided to the
cache manager in the token description is the nul string.
This patchset is an openafs-stable-1_6_x specific version of
the patch. The master version was submitted to
Credit to Ben Kaduk for assistance with the wording of this commit
Reviewed-by: Benjamin Kaduk <email@example.com>
Tested-by: BuildBot <firstname.lastname@example.org>
Reviewed-by: Jeffrey Altman <email@example.com>
Reviewed-by: Stephan Wiesand <firstname.lastname@example.org>
doc/man-pages/pod1/aklog.pod | 17 ++++++++++++--
src/aklog/aklog.c | 49 ++++++++++++++++++++++++++---------------
2 files changed, 45 insertions(+), 21 deletions(-)
OpenAFS Master Repository