Avoid calling afsconf_GetLatestKey directly

Don't call afsconf_GetLatestKey to determine whether we can print our
own local tokens, since we may have keytab 'local' keys, but no DES
keys. Just try to construct them and see if it fails, using
afsconf_PickClientSecObj or afsconf_ClientAuth{,Secure} as
appropriate.

diff --git a/src/ptserver/ptserver.c b/src/ptserver/ptserver.c
index 13786c02a4575c96f98a48dd3a25bb79c98e8f4d..4c30eb912097299ad78ecf2ab42ad2eade39824b 100644 (file)
--- a/src/ptserver/ptserver.c
+++ b/src/ptserver/ptserver.c
@@ -210,7 +210,6 @@ main(int argc, char **argv)
     struct rx_service *tservice;
     struct rx_securityClass **securityClasses;
     afs_int32 numClasses;
-    int kerberosKeys;          /* set if found some keys */
     int lwps = 3;
     char clones[MAXHOSTSPERCELL];
     afs_uint32 host = htonl(INADDR_ANY);
@@ -455,16 +454,6 @@ main(int argc, char **argv)
     pr_realmName = info.name;
 
     {
-       afs_int32 kvno;         /* see if there is a KeyFile here */
-       struct ktc_encryptionKey key;
-       code = afsconf_GetLatestKey(prdir, &kvno, &key);
-       kerberosKeys = (code == 0);
-       if (!kerberosKeys)
-           printf
-               ("ptserver: can't find any Kerberos keys, code = %d, ignoring\n",
-                code);
-    }
-    if (kerberosKeys) {
        /* initialize ubik */
        ubik_CRXSecurityProc = afsconf_ClientAuth;
        ubik_CRXSecurityRock = prdir;

diff --git a/src/ptserver/ptuser.c b/src/ptserver/ptuser.c
index fb7aa037757ffb85a76c8a55a4e9777f9ccdfbae..501fada050dc34a95697baea7ec26d81eae8e415 100644 (file)
--- a/src/ptserver/ptuser.c
+++ b/src/ptserver/ptuser.c
@@ -292,16 +292,13 @@ pr_Initialize(IN afs_int32 secLevel, IN const char *confDir, IN char *cell)
      * to force use of the KeyFile.  secLevel == 0 implies -noauth was
      * specified. */
     if (secLevel == 2) {
-       code = afsconf_GetLatestKey(tdir, 0, 0);
+       secFlags = AFSCONF_SECOPTS_LOCALAUTH;
+       secFlags |= AFSCONF_SECOPTS_ALWAYSENCRYPT;
+       code = afsconf_PickClientSecObj(tdir, secFlags, &info, cell, &sc, &scIndex, NULL);
        if (code) {
            afs_com_err(whoami, code, "(getting key from local KeyFile)\n");
-       } else {
-           /* If secLevel is two assume we're on a file server and use
-            * ClientAuthSecure if possible. */
-           code = afsconf_ClientAuthSecure(tdir, &sc, &scIndex);
-           if (code)
-               afs_com_err(whoami, code, "(calling client secure)\n");
         }
+
     } else if (secLevel > 0) {
        secFlags = 0;
        if (secLevel > 1)

diff --git a/src/viced/host.c b/src/viced/host.c
index 9921912e68e740600ee509c1b7c4afc126096c4b..5e4739d60798f5e3f3fbe5947f46c2a086c889eb 100644 (file)
--- a/src/viced/host.c
+++ b/src/viced/host.c
@@ -305,15 +305,12 @@ hpr_Initialize(struct ubik_client **uclient)
     /* Most callers use secLevel==1, however, the fileserver uses secLevel==2
      * to force use of the KeyFile.  secLevel == 0 implies -noauth was
      * specified. */
-    if ((afsconf_GetLatestKey(tdir, 0, 0) == 0)) {
-        code = afsconf_ClientAuthSecure(tdir, &sc, &scIndex);
-        if (code)
-           ViceLog(0, ("hpr_Initialize: clientauthsecure returns %d %s (so trying noauth)", code, afs_error_message(code)));
-        if (code)
-            scIndex = RX_SECIDX_NULL;
-    } else {
-       afsconf_ClientAuthToken(&info, 0, &sc, &scIndex, NULL);
-    }
+    code = afsconf_ClientAuthSecure(tdir, &sc, &scIndex);
+    if (code)
+       ViceLog(0, ("hpr_Initialize: clientauthsecure returns %d %s (so trying noauth)", code, afs_error_message(code)));
+    if (code)
+        scIndex = RX_SECIDX_NULL;
+
     if ((scIndex == RX_SECIDX_NULL) && (sc == NULL))
         sc = rxnull_NewClientSecurityObject();
     if (scIndex == RX_SECIDX_NULL)