]> git.michaelhowe.org Git - packages/o/openafs.git/commit
projects / packages / o / openafs.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d2995e6) | patch
DEVEL15-windows-use-client-realm-for-tokens-20080329
authorJeffrey Altman <jaltman@secure-endpoints.com>
Sun, 30 Mar 2008 04:36:55 +0000 (04:36 +0000)
committerJeffrey Altman <jaltman@secure-endpoints.com>
Sun, 30 Mar 2008 04:36:55 +0000 (04:36 +0000)
commita2ee8eafca02ea2bf78ca56ca05195b4fa6cb79c
tree4ac2f4815113d0348995cd113b018445814481cbtree | snapshot
parentd2995e6ef57e58735d8d80e23590528751d753e8commit | diff
DEVEL15-windows-use-client-realm-for-tokens-20080329

LICENSE MIT

Two recent changes to the AFS/Kerberos landscape have been causing
problems for aklog and related modules.  First, the support for multiple
local realms for the cell has broken the pts auto-registration code
when the realm used for the token acquisition does not match the
realm belonging to the selected vldb server.  Second, Kerberos referrals
prevents detection of the realm of the vldb server.

This commit adds a new method of searching for the afs service principal.
The first attempt is for afs/<cell>@<CLIENT-REALM>.  If found, the
<CLIENT-REALM> is used as the realm of the cell.

The patch adds error handling for KRB5_ERR_HOST_REALM_UNKNOWN which is
returned when krb5_get_host_realm() can't determine the realm.

Duplicate queries are also avoided and copy_realm_of_ticket() is
properly employed.

(cherry picked from commit c6897cee01063d6d6ad302e6527794130f007d74)
src/WINNT/afsd/afskfw.c diff | blob | history
src/WINNT/aklog/aklog.c diff | blob | history
src/WINNT/netidmgr_plugin/afsfuncs.c diff | blob | history