DEVEL15-aklog-attempt-order-comments-20081029

author Simon Wilkinson <sxw@inf.ed.ac.uk>

Wed, 29 Oct 2008 19:43:53 +0000 (19:43 +0000)

committer Derrick Brashear <shadow@dementia.org>

Wed, 29 Oct 2008 19:43:53 +0000 (19:43 +0000)
author Simon Wilkinson <sxw@inf.ed.ac.uk>
Wed, 29 Oct 2008 19:43:53 +0000 (19:43 +0000)
committer Derrick Brashear <shadow@dementia.org>
Wed, 29 Oct 2008 19:43:53 +0000 (19:43 +0000)
diff --git a/src/aklog/aklog_main.c b/src/aklog/aklog_main.c

index b7b656f20eb9d17754d482924e55989ed4128c22..b56421fb03826ad16326d031c0f141e1b9995ed4 100644 (file)
--- a/src/aklog/aklog_main.c
+++ b/src/aklog/aklog_main.c
@@ -463,7 +463,27 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
         retry = 1;
         
         while(retry) {
-           
+
+           /* This code tries principals in the following, much debated,
+            * order:
+            * 
+            * If the realm is specified on the command line we do
+            *    - afs/cell@COMMAND-LINE-REALM
+            *    - afs@COMMAND-LINE-REALM
+            * 
+            * Otherwise, we do
+            *    - afs/cell@REALM-FROM-USERS-PRINCIPAL
+            *    - afs/cell@krb5_get_host_realm(db-server)
+            *   Then, if krb5_get_host_realm(db-server) is non-empty
+            *      - afs@ krb5_get_host_realm(db-server)
+            *   Otherwise
+            *      - afs/cell@ upper-case-domain-of-db-server
+            *      - afs@ upper-case-domain-of-db-server
+            * 
+            * In all cases, the 'afs@' variant is only tried where the
+            * cell and the realm match case-insensitively.
+            */
+               
             /* Cell on command line - use that one */
             if (realm && realm[0]) {
                 realm_of_cell = realm;
author	Simon Wilkinson <sxw@inf.ed.ac.uk>
	Wed, 29 Oct 2008 19:43:53 +0000 (19:43 +0000)
committer	Derrick Brashear <shadow@dementia.org>
	Wed, 29 Oct 2008 19:43:53 +0000 (19:43 +0000)