From 4b1e329e30421b47426137d8007afdf7e2e43918 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Mon, 9 May 2011 10:46:46 -0400 Subject: [PATCH] Windows: always try afs/cell@USER-REALM first In the KFW_AFS library, always try afs/cell@USER-REALM first, even when KFW_AFS_klog() is called with an explicit realm mapping for the cell. An afs service principal from the user's realm is always preferred. No cross realm and if the realm is AD, the ability to avoid the inclusion of a PAC. Change-Id: Ia29085e03d7c8a7c05e0c8d7991bc48b780b84fa Reviewed-on: http://gerrit.openafs.org/4633 Tested-by: BuildBot Reviewed-by: Jeffrey Altman --- src/WINNT/afsd/afskfw.c | 289 ++++++++++++++++++++-------------------- 1 file changed, 147 insertions(+), 142 deletions(-) diff --git a/src/WINNT/afsd/afskfw.c b/src/WINNT/afsd/afskfw.c index 9633e78f4..a2f3d1c0f 100644 --- a/src/WINNT/afsd/afskfw.c +++ b/src/WINNT/afsd/afskfw.c @@ -1413,9 +1413,12 @@ KFW_AFS_get_cred( char * username, StringCbCat( pname, len, realm); } if ( IsDebuggerPresent() ) { - OutputDebugString("Realm: "); + OutputDebugString("Realm of Cell: "); OutputDebugString(realm); OutputDebugString("\n"); + OutputDebugString("Realm of User: "); + OutputDebugString(userrealm); + OutputDebugString("\n"); } code = pkrb5_parse_name(ctx, pname, &principal); @@ -3000,53 +3003,62 @@ KFW_AFS_klog( /* Ask for DES since that is what V4 understands */ increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC; - /* If there was a specific realm we are supposed to try - * then use it - */ - if (strlen(realm) != 0) { - /* service/cell@REALM */ - increds.server = 0; - code = pkrb5_build_principal(ctx, &increds.server, - (int)strlen(realm), - realm, - ServiceName, - CellName, - 0); - if ( IsDebuggerPresent() ) { - char * cname, *sname; - pkrb5_unparse_name(ctx, increds.client, &cname); - pkrb5_unparse_name(ctx, increds.server, &sname); - OutputDebugString("Getting tickets for \""); - OutputDebugString(cname); - OutputDebugString("\" and service \""); - OutputDebugString(sname); - OutputDebugString("\"\n"); - pkrb5_free_unparsed_name(ctx,cname); - pkrb5_free_unparsed_name(ctx,sname); - } + /* ALWAYS first try service/cell@CLIENT_REALM */ + if (code = pkrb5_build_principal(ctx, &increds.server, + (int)strlen(realm_of_user), + realm_of_user, + ServiceName, + CellName, + 0)) + { + goto cleanup; + } - if (!code) - code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); + if ( IsDebuggerPresent() ) { + char * cname, *sname; + pkrb5_unparse_name(ctx, increds.client, &cname); + pkrb5_unparse_name(ctx, increds.server, &sname); + OutputDebugString("Getting tickets for \""); + OutputDebugString(cname); + OutputDebugString("\" and service \""); + OutputDebugString(sname); + OutputDebugString("\"\n"); + pkrb5_free_unparsed_name(ctx,cname); + pkrb5_free_unparsed_name(ctx,sname); + } + + code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); + if (code == 0) { + /* The client's realm is a local realm for the cell. + * Save it so that later the pts registration will not + * be performed. + */ + StringCbCopyN( realm_of_cell, sizeof(realm_of_cell), + realm_of_user, sizeof(realm_of_cell) - 1); + } - if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || - code == KRB5_ERR_HOST_REALM_UNKNOWN || - code == KRB5KRB_ERR_GENERIC /* heimdal */ || - code == KRB5KRB_AP_ERR_MSG_TYPE) { - /* Or service@REALM */ - pkrb5_free_principal(ctx,increds.server); + + if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || + code == KRB5_ERR_HOST_REALM_UNKNOWN || + code == KRB5KRB_ERR_GENERIC /* heimdal */ || + code == KRB5KRB_AP_ERR_MSG_TYPE) { + /* If there was a specific realm we are supposed to try + * then use it + */ + if (strlen(realm) != 0) { + /* service/cell@REALM */ increds.server = 0; code = pkrb5_build_principal(ctx, &increds.server, - (int)strlen(realm), - realm, - ServiceName, - 0); - + (int)strlen(realm), + realm, + ServiceName, + CellName, + 0); if ( IsDebuggerPresent() ) { char * cname, *sname; pkrb5_unparse_name(ctx, increds.client, &cname); pkrb5_unparse_name(ctx, increds.server, &sname); - OutputDebugString("krb5_get_credentials() returned Service Principal Unknown\n"); - OutputDebugString("Trying again: getting tickets for \""); + OutputDebugString("Getting tickets for \""); OutputDebugString(cname); OutputDebugString("\" and service \""); OutputDebugString(sname); @@ -3057,114 +3069,107 @@ KFW_AFS_klog( if (!code) code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); - } - if (code == 0) { - /* we have a local realm for the cell */ - StringCbCopyN( realm_of_cell, sizeof(realm_of_cell), - realm, sizeof(realm_of_cell) - 1); - } - } else { - /* Otherwise, first try service/cell@CLIENT_REALM */ - if (code = pkrb5_build_principal(ctx, &increds.server, - (int)strlen(realm_of_user), - realm_of_user, - ServiceName, - CellName, - 0)) - { - goto cleanup; - } + if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || + code == KRB5_ERR_HOST_REALM_UNKNOWN || + code == KRB5KRB_ERR_GENERIC /* heimdal */ || + code == KRB5KRB_AP_ERR_MSG_TYPE) { + /* Or service@REALM */ + pkrb5_free_principal(ctx,increds.server); + increds.server = 0; + code = pkrb5_build_principal(ctx, &increds.server, + (int)strlen(realm), + realm, + ServiceName, + 0); - if ( IsDebuggerPresent() ) { - char * cname, *sname; - pkrb5_unparse_name(ctx, increds.client, &cname); - pkrb5_unparse_name(ctx, increds.server, &sname); - OutputDebugString("Getting tickets for \""); - OutputDebugString(cname); - OutputDebugString("\" and service \""); - OutputDebugString(sname); - OutputDebugString("\"\n"); - pkrb5_free_unparsed_name(ctx,cname); - pkrb5_free_unparsed_name(ctx,sname); - } + if ( IsDebuggerPresent() ) { + char * cname, *sname; + pkrb5_unparse_name(ctx, increds.client, &cname); + pkrb5_unparse_name(ctx, increds.server, &sname); + OutputDebugString("krb5_get_credentials() returned Service Principal Unknown\n"); + OutputDebugString("Trying again: getting tickets for \""); + OutputDebugString(cname); + OutputDebugString("\" and service \""); + OutputDebugString(sname); + OutputDebugString("\"\n"); + pkrb5_free_unparsed_name(ctx,cname); + pkrb5_free_unparsed_name(ctx,sname); + } - code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); - if (code == 0) { - /* The client's realm is a local realm for the cell. - * Save it so that later the pts registration will not - * be performed. - */ - StringCbCopyN( realm_of_cell, sizeof(realm_of_cell), - realm_of_user, sizeof(realm_of_cell) - 1); - } + if (!code) + code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); + } - if ((code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || - code == KRB5_ERR_HOST_REALM_UNKNOWN || - code == KRB5KRB_ERR_GENERIC /* heimdal */ || - code == KRB5KRB_AP_ERR_MSG_TYPE) && - strcmp(realm_of_user, realm_of_cell)) { - /* Then service/cell@CELL_REALM */ - pkrb5_free_principal(ctx,increds.server); - increds.server = 0; - code = pkrb5_build_principal(ctx, &increds.server, - (int)strlen(realm_of_cell), - realm_of_cell, - ServiceName, - CellName, - 0); - if ( IsDebuggerPresent() ) { - char * cname, *sname; - pkrb5_unparse_name(ctx, increds.client, &cname); - pkrb5_unparse_name(ctx, increds.server, &sname); - OutputDebugString("krb5_get_credentials() returned Service Principal Unknown\n"); - OutputDebugString("Trying again: getting tickets for \""); - OutputDebugString(cname); - OutputDebugString("\" and service \""); - OutputDebugString(sname); - OutputDebugString("\"\n"); - pkrb5_free_unparsed_name(ctx,cname); - pkrb5_free_unparsed_name(ctx,sname); + if (code == 0) { + /* we have a local realm for the cell */ + StringCbCopyN( realm_of_cell, sizeof(realm_of_cell), + realm, sizeof(realm_of_cell) - 1); } + } else { + if (strcmp(realm_of_user, realm_of_cell)) { + /* Then service/cell@CELL_REALM */ + pkrb5_free_principal(ctx,increds.server); + increds.server = 0; + code = pkrb5_build_principal(ctx, &increds.server, + (int)strlen(realm_of_cell), + realm_of_cell, + ServiceName, + CellName, + 0); + if ( IsDebuggerPresent() ) { + char * cname, *sname; + pkrb5_unparse_name(ctx, increds.client, &cname); + pkrb5_unparse_name(ctx, increds.server, &sname); + OutputDebugString("krb5_get_credentials() returned Service Principal Unknown\n"); + OutputDebugString("Trying again: getting tickets for \""); + OutputDebugString(cname); + OutputDebugString("\" and service \""); + OutputDebugString(sname); + OutputDebugString("\"\n"); + pkrb5_free_unparsed_name(ctx,cname); + pkrb5_free_unparsed_name(ctx,sname); + } - if (!code) - code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); + if (!code) + code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); - if (!code && !strlen(realm_of_cell)) - copy_realm_of_ticket(ctx, realm_of_cell, sizeof(realm_of_cell), k5creds); - } + if (!code && !strlen(realm_of_cell)) + copy_realm_of_ticket(ctx, realm_of_cell, sizeof(realm_of_cell), k5creds); + } - if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || - code == KRB5_ERR_HOST_REALM_UNKNOWN || - code == KRB5KRB_ERR_GENERIC /* heimdal */ || - code == KRB5KRB_AP_ERR_MSG_TYPE) { - /* Finally service@CELL_REALM */ - pkrb5_free_principal(ctx,increds.server); - increds.server = 0; - code = pkrb5_build_principal(ctx, &increds.server, - (int)strlen(realm_of_cell), - realm_of_cell, - ServiceName, - 0); + if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || + code == KRB5_ERR_HOST_REALM_UNKNOWN || + code == KRB5KRB_ERR_GENERIC /* heimdal */ || + code == KRB5KRB_AP_ERR_MSG_TYPE) { + /* Finally service@CELL_REALM */ + pkrb5_free_principal(ctx,increds.server); + increds.server = 0; + code = pkrb5_build_principal(ctx, &increds.server, + (int)strlen(realm_of_cell), + realm_of_cell, + ServiceName, + 0); - if ( IsDebuggerPresent() ) { - char * cname, *sname; - pkrb5_unparse_name(ctx, increds.client, &cname); - pkrb5_unparse_name(ctx, increds.server, &sname); - OutputDebugString("krb5_get_credentials() returned Service Principal Unknown\n"); - OutputDebugString("Trying again: getting tickets for \""); - OutputDebugString(cname); - OutputDebugString("\" and service \""); - OutputDebugString(sname); - OutputDebugString("\"\n"); - pkrb5_free_unparsed_name(ctx,cname); - pkrb5_free_unparsed_name(ctx,sname); - } + if ( IsDebuggerPresent() ) { + char * cname, *sname; + pkrb5_unparse_name(ctx, increds.client, &cname); + pkrb5_unparse_name(ctx, increds.server, &sname); + OutputDebugString("krb5_get_credentials() returned Service Principal Unknown\n"); + OutputDebugString("Trying again: getting tickets for \""); + OutputDebugString(cname); + OutputDebugString("\" and service \""); + OutputDebugString(sname); + OutputDebugString("\"\n"); + pkrb5_free_unparsed_name(ctx,cname); + pkrb5_free_unparsed_name(ctx,sname); + } - if (!code) - code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); - if (!code && !strlen(realm_of_cell)) - copy_realm_of_ticket(ctx, realm_of_cell, sizeof(realm_of_cell), k5creds); + if (!code) + code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); + if (!code && !strlen(realm_of_cell)) + copy_realm_of_ticket(ctx, realm_of_cell, sizeof(realm_of_cell), k5creds); + } } } @@ -3187,10 +3192,10 @@ KFW_AFS_klog( goto try_krb524d; memset(&aserver, '\0', sizeof(aserver)); - StringCbCopyN( aserver.name, sizeof(aserver.name), - ServiceName, sizeof(aserver.name) - 1); - StringCbCopyN( aserver.cell, sizeof(aserver.cell), - CellName, sizeof(aserver.cell) - 1); + StringCbCopyN(aserver.name, sizeof(aserver.name), + ServiceName, sizeof(aserver.name) - 1); + StringCbCopyN(aserver.cell, sizeof(aserver.cell), + CellName, sizeof(aserver.cell) - 1); memset(&atoken, '\0', sizeof(atoken)); atoken.kvno = RXKAD_TKT_TYPE_KERBEROS_V5; -- 2.39.5