windows-aklog-referrals-20080105

LICENSE IPL10

If the realm name of the requested ticket is the empty string, decode
the actual service ticket to determine the actual realm.  Obtaining the
actual realm prevents unnecessary pts registration failures.

diff --git a/src/WINNT/aklog/aklog.c b/src/WINNT/aklog/aklog.c
index f3d01ac756dda625fb2ff6231342447e76da5dd1..d714714356df12bccbe0c2c52900f87afdc750b4 100644 (file)
--- a/src/WINNT/aklog/aklog.c
+++ b/src/WINNT/aklog/aklog.c
@@ -701,6 +701,31 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
                             NULL,
 #endif
                             &v5cred);
+
+        if (status == 0 && strcmp(realm_of_cell, "") == 0) {
+            krb5_error_code code;
+            krb5_ticket *ticket;
+
+            code = krb5_decode_ticket(&v5cred->ticket, &ticket);
+
+            if (code != 0) {
+                fprintf(stderr,
+                         "%s: Couldn't decode ticket to determine realm for "
+                         "cell %s.\n",
+                         progname, cell_to_use);
+            } else {
+                int len = krb5_princ_realm(context, ticket->server)->length;
+                /* This really shouldn't happen. */
+                if (len > REALM_SZ-1)
+                    len = REALM_SZ-1;
+
+                strncpy(realm_of_cell, krb5_princ_realm(context, ticket->server)->data, len);
+                realm_of_cell[len] = 0;
+
+                krb5_free_ticket(context, ticket);
+            }
+        }
+
        if (status == KRB5_ERR_HOST_REALM_UNKNOWN) {
            realm_fallback = 1;
            goto try_v5;