STABLE14-windows-force-krb524-20030921

Provide mechanisms to force the use of krb524 via afscreds, afslogon,
and aklog.  afslogon and afscreds rely on a new "Use524" registry value
(see registry.txt) and aklog has a new "-m" command line option.


(cherry picked from commit b400902339)

doc/txt/winnotes/afs-changes-since-1.2.txt

@@ -1,4 +1,9 @@
 Since 1.3.71:
+  * provide mechanisms to force the use of krb524d for Kerberos 5
+    ticket to AFS token conversion.  For afslogon.dll and afscreds.exe
+    there is a new registry value "Use524" and for aklog.exe a new
+    command line parameter "-m".
+
   * Fix the pattern matching algorithm to properly match patterns
     ending with a '*'.
 

doc/txt/winnotes/registry.txt

@@ -628,6 +628,17 @@ Function: KFW_is_available()
   Kerberos 4 implementation will be used instead.  The current user value 
   is checked first; if it does not exist the local machine value is checked.
 
+Value   : Use524
+Type    : DWORD {0, 1}
+Default : 0
+Function: KFW_use_krb524()
+
+  When MIT Kerberos for Windows can be loaded, Kerberos 5 will be used
+  to obtain AFS credentials.  By setting this value to 1, the Kerberos 5
+  tickets will be converted to Kerberos 4 tokens via a call to the krb524
+  daemon.  The current user value is checked first; if it does not exist 
+  the local machine value is checked.
+
 Value   : AfscredsShortcutParams
 Type    : REG_SZ
 Default : "-A -M -N -Q"

src/WINNT/afsd/afskfw.c

@@ -444,11 +444,36 @@ KFW_cleanup(void)
 
 static char OpenAFSConfigKeyName[] = "SOFTWARE\\OpenAFS\\Client";
 
+int
+KFW_use_krb524(void)
+{
+    HKEY parmKey;
+    DWORD code, len;
+    DWORD use524 = 0;
+
+    code = RegOpenKeyEx(HKEY_CURRENT_USER, OpenAFSConfigKeyName,
+                         0, KEY_QUERY_VALUE, &parmKey);
+    if (code != ERROR_SUCCESS)
+        code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
+                             0, KEY_QUERY_VALUE, &parmKey);
+    if (code == ERROR_SUCCESS) {
+        len = sizeof(use524);
+        code = RegQueryValueEx(parmKey, "Use524", NULL, NULL,
+                                (BYTE *) &use524, &len);
+        if (code != ERROR_SUCCESS) {
+            use524 = 0;
+        }
+        RegCloseKey (parmKey);
+    }
+
+    return use524;
+}
+
 int 
 KFW_is_available(void)
 {
     HKEY parmKey;
-	DWORD code, len;
+    DWORD code, len;
     DWORD enableKFW = 1;
 
     code = RegOpenKeyEx(HKEY_CURRENT_USER, OpenAFSConfigKeyName,
@@ -456,7 +481,7 @@ KFW_is_available(void)
     if (code != ERROR_SUCCESS)
         code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
                              0, KEY_QUERY_VALUE, &parmKey);
-	if (code == ERROR_SUCCESS) {
+    if (code == ERROR_SUCCESS) {
         len = sizeof(enableKFW);
         code = RegQueryValueEx(parmKey, "EnableKFW", NULL, NULL,
                                 (BYTE *) &enableKFW, &len);
@@ -464,7 +489,7 @@ KFW_is_available(void)
             enableKFW = 1;
         }
         RegCloseKey (parmKey);
-	}
+    }
 
     if ( !enableKFW )
         return FALSE;
@@ -2761,7 +2786,8 @@ KFW_AFS_klog(
          * No need to perform a krb524 translation which is 
          * commented out in the code below
          */
-        if (k5creds->ticket.length > MAXKTCTICKETLEN)
+        if (KFW_use_krb524() ||
+            k5creds->ticket.length > MAXKTCTICKETLEN)
             goto try_krb524d;
 
         memset(&aserver, '\0', sizeof(aserver));