--- openafs/src/kauth/kaprocs.c 6 Sep 2002 02:44:03 -0000 1.12 +++ openafs/src/kauth/kaprocs.c 18 Mar 2003 03:56:18 -0000 1.13 @@ -1706,6 +1706,11 @@ celllen = strlen (cell); if (import && (celllen == 0)) {code = KABADTICKET; goto abort;} if (export && (celllen == 0)) strcpy (cell, lrealm); + + if (!krb4_cross && celllen && strcmp(lrealm, cell) != 0) { + code = KABADUSER; + goto abort; + } des_ecb_encrypt (atimes->SeqBody, ×, schedule, DECRYPT); times.start = ntohl(times.start); --- openafs/src/kauth/kaserver.c 21 Aug 2002 18:13:22 -0000 1.13 +++ openafs/src/kauth/kaserver.c 18 Mar 2003 03:56:18 -0000 1.14 @@ -56,6 +56,8 @@ struct ubik_dbase *KA_dbase; afs_int32 myHost = 0; afs_int32 verbose_track = 1; +afs_int32 krb4_cross = 0; + struct afsconf_dir *KA_conf; /* for getting cell info */ extern afs_int32 ubik_lastYesTime; @@ -193,6 +195,7 @@ usage: printf("Usage: kaserver [-noAuth] [-fastKeys] [-database ] " "[-localfiles ] [-minhours ] [-servers ] " + "[-crossrealm]" /*" [-enable_peer_stats] [-enable_process_stats] " */ "[-help]\n"); exit(1); @@ -250,6 +253,7 @@ else if (IsArg("-clear")) level = rxkad_clear; else if (IsArg("-sorry")) level = rxkad_clear; else if (IsArg("-debug")) verbose_track = 0; + else if (IsArg("-crossrealm")) krb4_cross = 1; else if (IsArg("-minhours")) { MinHours = atoi(argv[++a]); } --- openafs/src/kauth/kaserver.h 4 Nov 2000 10:04:39 -0000 1.2 +++ openafs/src/kauth/kaserver.h 18 Mar 2003 23:47:51 -0000 1.4 @@ -179,6 +179,7 @@ u_int locktime ); +extern afs_int32 krb4_cross; #define LOCKPW --- openafs/src/kauth/krb_udp.c 22 Aug 2002 18:45:16 -0000 1.20 +++ openafs/src/kauth/krb_udp.c 18 Mar 2003 03:56:18 -0000 1.21 @@ -461,6 +461,11 @@ strncpy (cell, lrealm, MAXKTCREALMLEN-1); cell[MAXKTCREALMLEN-1] = 0; }; + + if (!krb4_cross && strcmp(lrealm, cell) != 0) { + code = KERB_ERR_PRINCIPAL_UNKNOWN; + goto abort; + } if (krb_udp_debug) { printf ("UGetTicket: got ticket from '%s'.'%s'@'%s'\n",