[OpenAFS-devel] More on aklog

Rainer Schöpf rainer.schoepf@proteosys.com
Thu, 30 Sep 2004 22:02:26 +0200 (CEST) 

I made a few changes to the aklog program from the WINNT subtree of
openafs 1.3.71 to make it work on Linux, with MIT Kerberos. A Patch is
appended to this email.

I ran into a few problems.

The bos command complains about a "funny kvno (256) in ticket", but works
anyway. Easily corrected by changing the test for a valid kvno in
bozo/bos.c.

A principal with a "." in its name does not work at all with Kerberos5
tokens. This is explicitly forbidden by this snippet of code from
rxkad/ticket5.c:

    /*
     * If the first part of the name_string contains a dot, punt since
     * then we can't see the diffrence between the kerberos 5
     * principals foo.root and foo/root later in the fileserver.
     */
    if (strchr(decr_part.cname.name_string.val[0], '.') != NULL)
	goto bad_ticket;

I don't see why this should be a problem: name and instance are well
separated in the fileserver code. If I use the old aklog together with
krb524d, no such restriction exists.

Can someone explain why this check is there?


   Rainer Schöpf


---patch to src/WINNT/aklog for Linux follows
diff -c -r1.1 aklog.c
*** aklog.c     2004/09/30 19:33:35     1.1
--- aklog.c     2004/09/30 19:38:04
***************
*** 23,29 ****
--- 23,31 ----
  #include <afs/stds.h>
  #include <krb.h>
  #include <krb5.h>
+ #if 0
  #include <afs/ptserver.h>
+ #endif

  #ifdef WIN32
  #include <windows.h>
***************
*** 462,468 ****
--- 464,480 ----
                strcpy(krbrlm, krbrlms[0]);
      } else {
                strcpy(krbrlm, cellconfig->name);
+ #ifdef WIN32
                strupr(krbrlm);
+ #else
+               {
+                       char * cp = krbrlm;
+                       while (*cp) {
+                               *cp = toupper(*cp);
+                               cp++;
+                       }
+               }
+ #endif
        }

        if (krbrlms)
***************
*** 775,780 ****
--- 787,801 ----
          int len = min(v5cred->client->realm.length,MAXKTCNAMELEN - 1);
          strncpy(aclient.cell, v5cred->client->realm.data, len);
          aclient.cell[len] = '\0';
+ #if 0 /* not sure if needed */
+       {
+               char *ptr = aclient.cell;
+               while (*ptr) {
+                       *ptr = tolower(*ptr);
+                       ptr++;
+               }
+       }
+ #endif
      } else
        strncpy(aclient.cell, c.realm, MAXKTCREALMLEN - 1);