STABLE14-windows-force-krb524-20030921

Provide mechanisms to force the use of krb524 via afscreds, afslogon,
and aklog.  afslogon and afscreds rely on a new "Use524" registry value
(see registry.txt) and aklog has a new "-m" command line option.


(cherry picked from commit b400902339)

doc/txt/winnotes/afs-changes-since-1.2.txt

@@ -1,4 +1,9 @@
 Since 1.3.71:
+  * provide mechanisms to force the use of krb524d for Kerberos 5
+    ticket to AFS token conversion.  For afslogon.dll and afscreds.exe
+    there is a new registry value "Use524" and for aklog.exe a new
+    command line parameter "-m".
+
   * Fix the pattern matching algorithm to properly match patterns
     ending with a '*'.
 

doc/txt/winnotes/registry.txt

@@ -628,6 +628,17 @@ Function: KFW_is_available()
   Kerberos 4 implementation will be used instead.  The current user value 
   is checked first; if it does not exist the local machine value is checked.
 
+Value   : Use524
+Type    : DWORD {0, 1}
+Default : 0
+Function: KFW_use_krb524()
+
+  When MIT Kerberos for Windows can be loaded, Kerberos 5 will be used
+  to obtain AFS credentials.  By setting this value to 1, the Kerberos 5
+  tickets will be converted to Kerberos 4 tokens via a call to the krb524
+  daemon.  The current user value is checked first; if it does not exist 
+  the local machine value is checked.
+
 Value   : AfscredsShortcutParams
 Type    : REG_SZ
 Default : "-A -M -N -Q"

src/WINNT/afsd/afskfw.c

@@ -444,6 +444,31 @@ KFW_cleanup(void)
 
 static char OpenAFSConfigKeyName[] = "SOFTWARE\\OpenAFS\\Client";
 
+int
+KFW_use_krb524(void)
+{
+    HKEY parmKey;
+    DWORD code, len;
+    DWORD use524 = 0;
+
+    code = RegOpenKeyEx(HKEY_CURRENT_USER, OpenAFSConfigKeyName,
+                         0, KEY_QUERY_VALUE, &parmKey);
+    if (code != ERROR_SUCCESS)
+        code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName,
+                             0, KEY_QUERY_VALUE, &parmKey);
+    if (code == ERROR_SUCCESS) {
+        len = sizeof(use524);
+        code = RegQueryValueEx(parmKey, "Use524", NULL, NULL,
+                                (BYTE *) &use524, &len);
+        if (code != ERROR_SUCCESS) {
+            use524 = 0;
+        }
+        RegCloseKey (parmKey);
+    }
+
+    return use524;
+}
+
 int 
 KFW_is_available(void)
 {
@@ -2761,7 +2786,8 @@ KFW_AFS_klog(
          * No need to perform a krb524 translation which is 
          * commented out in the code below
          */
-        if (k5creds->ticket.length > MAXKTCTICKETLEN)
+        if (KFW_use_krb524() ||
+            k5creds->ticket.length > MAXKTCTICKETLEN)
             goto try_krb524d;
 
         memset(&aserver, '\0', sizeof(aserver));

src/WINNT/aklog/aklog.c

@@ -148,6 +148,7 @@ static int force = FALSE;	/* Bash identical tokens? */
 static linked_list authedcells;	/* List of cells already logged to */
 
 static int usev5 = TRUE;   /* use kerberos 5? */
+static int use524 = FALSE;  /* use krb524? */
 static krb5_ccache _krb425_ccache;
 
 long GetLocalCell(struct afsconf_dir **pconfigdir, char *local_cell)
@@ -626,11 +627,13 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
       try_v5:
         if (dflag)
             printf("Getting v5 tickets: %s/%s@%s\n", name, instance, realm_of_cell);
-		status = get_v5cred(context, name, instance, realm_of_cell, NULL, &v5cred);
+        status = get_v5cred(context, name, instance, realm_of_cell, 
+                            use524 ? &c : NULL, &v5cred);
         if (status == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
             if (dflag)
                 printf("Getting v5 tickets: %s@%s\n", name, realm_of_cell);
-			status = get_v5cred(context, name, "", realm_of_cell, NULL, &v5cred);
+            status = get_v5cred(context, name, "", realm_of_cell, 
+                                use524 ? &c : NULL, &v5cred);
         }
         if ( status == KRB5KRB_AP_ERR_MSG_TYPE && retry ) {
             retry = 0;
@@ -673,7 +676,7 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
     strncpy(aserver.instance, AFSINST, MAXKTCNAMELEN - 1);
     strncpy(aserver.cell, cell_to_use, MAXKTCREALMLEN - 1);
 
-    if (usev5) {
+    if (usev5 && !use524) {
         /* This code inserts the entire K5 ticket into the token
          * No need to perform a krb524 translation which is
          * commented out in the code below
@@ -771,7 +774,7 @@ static int auth_to_cell(krb5_context context, char *cell, char *realm)
     strncpy(aclient.name, username, MAXKTCNAMELEN - 1);
     strcpy(aclient.instance, "");
     
-    if (usev5) {
+    if (usev5 && !use524) {
         int len = min(v5cred->client->realm.length,MAXKTCNAMELEN - 1);
         strncpy(aclient.cell, v5cred->client->realm.data, len);
         aclient.cell[len] = '\0';
@@ -1046,7 +1049,7 @@ static void usage(void)
              "[-d] [[-cell | -c] cell [-k krb_realm]] ",
              "[[-p | -path] pathname]\n",
              "    [-noprdb] [-force]\n",
-		"    [-5 | -4]\n"
+             "    [-5 [-m]| -4]\n"
              );
     fprintf(stderr, "    -d gives debugging information.\n");
     fprintf(stderr, "    krb_realm is the kerberos realm of a cell.\n");
@@ -1055,6 +1058,7 @@ static void usage(void)
     fprintf(stderr, "    -noprdb means don't try to determine AFS ID.\n");
     fprintf(stderr, "    -5 or -4 selects whether to use Kerberos V or Kerberos IV.\n"
                     "       (default is Kerberos V)\n");
+    fprintf(stderr, "       -m means use krb524d to convert Kerberos V tickets.\n");
     fprintf(stderr, "    No commandline arguments means ");
     fprintf(stderr, "authenticate to the local cell.\n");
     fprintf(stderr, "\n");
@@ -1111,6 +1115,8 @@ int main(int argc, char *argv[])
             dflag++;
         else if (strcmp(argv[i], "-5") == 0)
             usev5++;
+        else if (strcmp(argv[i], "-m") == 0)
+            use524++;
         else if (strcmp(argv[i], "-4") == 0)
             usev5 = 0;
         else if (strcmp(argv[i], "-noprdb") == 0)