int krb_realm_of_cell(const char *cell, char **realm) { struct kafs_data kd; kd.name = "krb4"; kd.get_realm = get_realm; return _kafs_realm_of_cell(&kd, cell, realm); }
krb5_error_code krb5_realm_of_cell(const char *cell, char **realm) { struct kafs_data kd; kd.name = "krb5"; kd.get_realm = get_realm; return _kafs_realm_of_cell(&kd, cell, realm); }
int _kafs_get_cred(struct kafs_data *data, const char *cell, const char *realm_hint, const char *realm, uid_t uid, struct kafs_token *kt) { int ret = -1; char *vl_realm; char CELL[64]; /* We're about to find the realm that holds the key for afs in * the specified cell. The problem is that null-instance * afs-principals are common and that hitting the wrong realm might * yield the wrong afs key. The following assumptions were made. * * Any realm passed to us is preferred. * * If there is a realm with the same name as the cell, it is most * likely the correct realm to talk to. * * In most (maybe even all) cases the database servers of the cell * will live in the realm we are looking for. * * Try the local realm, but if the previous cases fail, this is * really a long shot. * */ /* comments on the ordering of these tests */ /* If the user passes a realm, she probably knows something we don't * know and we should try afs@realm_hint. */ if (realm_hint) { ret = _kafs_try_get_cred(data, AUTH_SUPERUSER, cell, realm_hint, uid, kt); if (ret == 0) return 0; ret = _kafs_try_get_cred(data, AUTH_SUPERUSER, NULL, realm_hint, uid, kt); if (ret == 0) return 0; } _kafs_foldup(CELL, cell); /* * If the AFS servers have a file /usr/afs/etc/krb.conf containing * REALM we still don't have to resort to cross-cell authentication. * Try afs.cell@REALM. */ ret = _kafs_try_get_cred(data, AUTH_SUPERUSER, cell, realm, uid, kt); if (ret == 0) return 0; /* * If cell == realm we don't need no cross-cell authentication. * Try afs@REALM. */ if (strcmp(CELL, realm) == 0) { ret = _kafs_try_get_cred(data, AUTH_SUPERUSER, NULL, realm, uid, kt); if (ret == 0) return 0; } /* * We failed to get ``first class tickets'' for afs, * fall back to cross-cell authentication. * Try afs@CELL. * Try afs.cell@CELL. */ ret = _kafs_try_get_cred(data, AUTH_SUPERUSER, NULL, CELL, uid, kt); if (ret == 0) return 0; ret = _kafs_try_get_cred(data, AUTH_SUPERUSER, cell, CELL, uid, kt); if (ret == 0) return 0; /* * Perhaps the cell doesn't correspond to any realm? * Use realm of first volume location DB server. * Try afs.cell@VL_REALM. * Try afs@VL_REALM??? */ if (_kafs_realm_of_cell(data, cell, &vl_realm) == 0 && strcmp(vl_realm, realm) != 0 && strcmp(vl_realm, CELL) != 0) { ret = _kafs_try_get_cred(data, AUTH_SUPERUSER, cell, vl_realm, uid, kt); if (ret) ret = _kafs_try_get_cred(data, AUTH_SUPERUSER, NULL, vl_realm, uid, kt); free(vl_realm); if (ret == 0) return 0; } return ret; }