Index: /trunk/server/common/oursrc/accountadm/admof.c =================================================================== --- /trunk/server/common/oursrc/accountadm/admof.c (revision 1600) +++ /trunk/server/common/oursrc/accountadm/admof.c (revision 1601) @@ -96,4 +96,46 @@ } +/* Resolve a Kerberos principal to a name usable by the AFS PTS. */ +void +resolve_principal(const char *name, const char *cell, char *user) +{ + /* Figure out the cell's realm. */ + krb5_context context; + krb5_init_context(&context); + + char **realm_list; + if (krb5_get_host_realm(context, cell, &realm_list) != 0 || + realm_list[0] == NULL) + die("internal error: krb5_get_host_realm failed"); + + /* Convert the Kerberos 5 principal into a (Kerberos IV-style) AFS + name, omitting the realm if it equals the cell's realm. */ + krb5_principal principal; + if (krb5_parse_name(context, name, &principal) != 0) + die("internal error: krb5_parse_name failed"); + char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; + if (krb5_524_conv_principal(context, principal, pname, pinst, prealm) != 0) + die("internal error: krb5_524_conv_principal failed\n"); + if (kname_unparse(user, pname, pinst, + strcmp(prealm, realm_list[0]) == 0 ? NULL : prealm) != 0) + die("internal error: kname_unparse failed\n"); + + krb5_free_principal(context, principal); + krb5_free_host_realm(context, realm_list); + krb5_free_context(context); + + /* Instead of canonicalizing the name as below, we just use + strcasecmp above. */ +#if 0 + afs_int32 id; + if (pr_SNameToId((char *)user, &id) != 0) + die("bad principal\n"); + if (id == ANONYMOUSID) + die("anonymous\n"); + if (pr_SIdToName(id, user) != 0) + die("internal error: pr_SIdToName failed\n"); +#endif +} + int main(int argc, const char *argv[]) @@ -186,41 +228,6 @@ afsconf_Close(configdir); - /* Figure out the cell's realm. */ - krb5_context context; - krb5_init_context(&context); - - char **realm_list; - if (krb5_get_host_realm(context, cellconfig.hostName[0], &realm_list) != 0 || - realm_list[0] == NULL) - die("internal error: krb5_get_host_realm failed"); - - /* Convert the Kerberos 5 principal into a (Kerberos IV-style) AFS - name, omitting the realm if it equals the cell's realm. */ - krb5_principal principal; - if (krb5_parse_name(context, name, &principal) != 0) - die("internal error: krb5_parse_name failed"); - char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; - if (krb5_524_conv_principal(context, principal, pname, pinst, prealm) != 0) - die("internal error: krb5_524_conv_principal failed\n"); char user[MAX(PR_MAXNAMELEN, MAX_K_NAME_SZ)]; - if (kname_unparse(user, pname, pinst, - strcmp(prealm, realm_list[0]) == 0 ? NULL : prealm) != 0) - die("internal error: kname_unparse failed\n"); - - krb5_free_principal(context, principal); - krb5_free_host_realm(context, realm_list); - krb5_free_context(context); - - /* Instead of canonicalizing the name as below, we just use - strcasecmp above. */ -#if 0 - afs_int32 id; - if (pr_SNameToId((char *)user, &id) != 0) - die("bad principal\n"); - if (id == ANONYMOUSID) - die("anonymous\n"); - if (pr_SIdToName(id, user) != 0) - die("internal error: pr_SIdToName failed\n"); -#endif + resolve_principal(name, cellconfig.hostName[0], user); /* Read the locker ACL. */ @@ -250,4 +257,5 @@ char sysadmins[] = SYSADMINS, sysadmin_cell[] = SYSADMIN_CELL; if (pr_Initialize(secLevel, (char *)AFSDIR_CLIENT_ETC_DIRPATH, sysadmin_cell) == 0) { + resolve_principal(name, sysadmin_cell, user); if (ismember(user, sysadmins)) { openlog("admof", 0, LOG_AUTHPRIV);