Avoid calling afsconf_GetLatestKey directly

Don't call afsconf_GetLatestKey to determine whether we can print our
own local tokens, since we may have keytab 'local' keys, but no DES
keys. Just try to construct them and see if it fails, using
afsconf_PickClientSecObj or afsconf_ClientAuth{,Secure} as
appropriate.

diff --git a/src/ptserver/ptserver.c b/src/ptserver/ptserver.c
index 53925ae06e7606c18b2140f990bb48497bd6c9b6..4f5b21a835bfd86f4b5690b7fd60b6cc90443774 100644 (file)
--- a/src/ptserver/ptserver.c
+++ b/src/ptserver/ptserver.c
@@ -210,7 +210,6 @@ main(int argc, char **argv)
     struct rx_service *tservice;
     struct rx_securityClass **securityClasses;
     afs_int32 numClasses;
-    int kerberosKeys;          /* set if found some keys */
     int lwps = 3;
     char clones[MAXHOSTSPERCELL];
     afs_uint32 host = htonl(INADDR_ANY);
@@ -455,16 +454,6 @@ main(int argc, char **argv)
     pr_realmName = info.name;
 
     {
-       afs_int32 kvno;         /* see if there is a KeyFile here */
-       struct ktc_encryptionKey key;
-       code = afsconf_GetLatestKey(prdir, &kvno, &key);
-       kerberosKeys = (code == 0);
-       if (!kerberosKeys)
-           printf
-               ("ptserver: can't find any Kerberos keys, code = %d, ignoring\n",
-                code);
-    }
-    if (kerberosKeys) {
        /* initialize ubik */
        ubik_CRXSecurityProc = afsconf_ClientAuth;
        ubik_CRXSecurityRock = prdir;

diff --git a/src/ptserver/ptuser.c b/src/ptserver/ptuser.c
index 538b6dcd5eb45263080fba4241e276bdbeaf32ff..b654472814034df81cf9414aa6ae0211e7c5ac31 100644 (file)
--- a/src/ptserver/ptuser.c
+++ b/src/ptserver/ptuser.c
@@ -292,16 +292,13 @@ pr_Initialize(IN afs_int32 secLevel, IN const char *confDir, IN char *cell)
      * to force use of the KeyFile.  secLevel == 0 implies -noauth was
      * specified. */
     if (secLevel == 2) {
-       code = afsconf_GetLatestKey(tdir, 0, 0);
+       secFlags = AFSCONF_SECOPTS_LOCALAUTH;
+       secFlags |= AFSCONF_SECOPTS_ALWAYSENCRYPT;
+       code = afsconf_PickClientSecObj(tdir, secFlags, &info, cell, &sc, &scIndex, NULL);
        if (code) {
            afs_com_err(whoami, code, "(getting key from local KeyFile)\n");
-       } else {
-           /* If secLevel is two assume we're on a file server and use
-            * ClientAuthSecure if possible. */
-           code = afsconf_ClientAuthSecure(tdir, &sc, &scIndex);
-           if (code)
-               afs_com_err(whoami, code, "(calling client secure)\n");
         }
+
     } else if (secLevel > 0) {
        secFlags = 0;
        if (secLevel > 1)

diff --git a/src/viced/host.c b/src/viced/host.c
index ee5c1620ed1e64004f7409ce0a31e6add316b425..8b9cacd2e2f835bdaf9845b906c8adef0435b3ab 100644 (file)
--- a/src/viced/host.c
+++ b/src/viced/host.c
@@ -305,15 +305,12 @@ hpr_Initialize(struct ubik_client **uclient)
     /* Most callers use secLevel==1, however, the fileserver uses secLevel==2
      * to force use of the KeyFile.  secLevel == 0 implies -noauth was
      * specified. */
-    if ((afsconf_GetLatestKey(tdir, 0, 0) == 0)) {
-        code = afsconf_ClientAuthSecure(tdir, &sc, &scIndex);
-        if (code)
-           ViceLog(0, ("hpr_Initialize: clientauthsecure returns %d %s (so trying noauth)", code, afs_error_message(code)));
-        if (code)
-            scIndex = RX_SECIDX_NULL;
-    } else {
-       afsconf_ClientAuthToken(&info, 0, &sc, &scIndex, NULL);
-    }
+    code = afsconf_ClientAuthSecure(tdir, &sc, &scIndex);
+    if (code)
+       ViceLog(0, ("hpr_Initialize: clientauthsecure returns %d %s (so trying noauth)", code, afs_error_message(code)));
+    if (code)
+        scIndex = RX_SECIDX_NULL;
+
     if ((scIndex == RX_SECIDX_NULL) && (sc == NULL))
         sc = rxnull_NewClientSecurityObject();
     if (scIndex == RX_SECIDX_NULL)