cifs.upcall: try getting a "cifs/" principal and fall back to "host/"

cifs.upcall takes a "-c" flag that tells the upcall to get a principal
in the form of "cifs/hostname.example.com@REALM" instead of
"host/hostname.example.com@REALM". This has turned out to be a source of
great confusion for users.

Instead of requiring this flag, have the upcall try to get a "cifs/"
principal first. If that fails, fall back to getting a "host/"
principal.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
(cherry picked from commit edca7df0dd43ee1d7ae2fc4954470efdf64a4d8e)

2 files changed, 18 insertions, 14 deletions

diff --git a/docs-xml/manpages-3/cifs.upcall.8.xml b/docs-xml/manpages-3/cifs.upcall.8.xml
index b62246c0339..43d0152f434 100644
--- a/docs-xml/manpages-3/cifs.upcall.8.xml
+++ b/docs-xml/manpages-3/cifs.upcall.8.xml
@@ -48,7 +48,7 @@ to be run that way.</para>
 	<variablelist>
 		<varlistentry>
 		<term>-c</term>
-		<listitem><para>When handling a kerberos upcall, use a service principal that starts with "cifs/". The default is to use the "host/" service principal.
+		<listitem><para>This option is deprecated and is currently ignored.
 		</para></listitem>
 		</varlistentry>
 
@@ -86,7 +86,7 @@ to be run that way.</para>
 <programlisting>
 #OPERATION  TYPE           D C PROGRAM ARG1 ARG2...
 #=========  =============  = = ==========================================
-create	    cifs.spnego    * * /usr/local/sbin/cifs.upcall -c %k
+create      cifs.spnego    * * /usr/local/sbin/cifs.upcall %k
 create      dns_resolver   * * /usr/local/sbin/cifs.upcall %k
 </programlisting>
 <para>
diff --git a/source3/client/cifs.upcall.c b/source3/client/cifs.upcall.c
index b8102bb4f85..732b2a090b7 100644
--- a/source3/client/cifs.upcall.c
+++ b/source3/client/cifs.upcall.c
@@ -30,7 +30,7 @@ create dns_resolver * * /usr/local/sbin/cifs.upcall %k
 
 #include "cifs_spnego.h"
 
-const char *CIFSSPNEGO_VERSION = "1.2";
+const char *CIFSSPNEGO_VERSION = "1.3";
 static const char *prog = "cifs.upcall";
 typedef enum _sectype {
 	NONE = 0,
@@ -291,8 +291,8 @@ cifs_resolver(const key_serial_t key, const char *key_descr)
 static void
 usage(void)
 {
-	syslog(LOG_INFO, "Usage: %s [-c] [-v] key_serial", prog);
-	fprintf(stderr, "Usage: %s [-c] [-v] key_serial\n", prog);
+	syslog(LOG_INFO, "Usage: %s [-v] key_serial", prog);
+	fprintf(stderr, "Usage: %s [-v] key_serial\n", prog);
 }
 
 int main(const int argc, char *const argv[])
@@ -303,7 +303,7 @@ int main(const int argc, char *const argv[])
 	key_serial_t key = 0;
 	size_t datalen;
 	long rc = 1;
-	int c, use_cifs_service_prefix = 0;
+	int c;
 	char *buf, *princ, *ccname = NULL;
 	struct decoded_args arg = { };
 	const char *oid;
@@ -313,7 +313,7 @@ int main(const int argc, char *const argv[])
 	while ((c = getopt(argc, argv, "cv")) != -1) {
 		switch (c) {
 		case 'c':
-			use_cifs_service_prefix = 1;
+			/* legacy option -- skip it */
 			break;
 		case 'v':
 			printf("version: %s\n", CIFSSPNEGO_VERSION);
@@ -395,19 +395,23 @@ int main(const int argc, char *const argv[])
 			break;
 		}
 
-		if (use_cifs_service_prefix)
-			strlcpy(princ, "cifs/", datalen);
-		else
-			strlcpy(princ, "host/", datalen);
-
-		strlcpy(princ + 5, arg.hostname, datalen - 5);
-
 		if (arg.sec == MS_KRB5)
 			oid = OID_KERBEROS5_OLD;
 		else
 			oid = OID_KERBEROS5;
 
+		/*
+		 * try getting a cifs/ principal first and then fall back to
+		 * getting a host/ principal if that doesn't work.
+		 */
+		strlcpy(princ, "cifs/", datalen);
+		strlcpy(princ + 5, arg.hostname, datalen - 5);
 		rc = handle_krb5_mech(oid, princ, &secblob, &sess_key, ccname);
+		if (rc) {
+			memcpy(princ, "host/", 5);
+			rc = handle_krb5_mech(oid, princ, &secblob, &sess_key,
+						ccname);
+		}
 		SAFE_FREE(princ);
 		break;
 	default: