From 4ee7f390af4193656c1e6ba45c9c3c14dd64a8a9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Dec 18 2012 18:04:06 +0000
Subject: select_principal_from_keytab() do wildcard lookups after specific ones


Currently the wildcard lookup '*$' is done before the one for
host/our.hostname@REALM. This means we would ignore a more specific
match in favour of an unspecific match with a principal which is only
used in a AD environment.

I think this is wrong an wildcards should only be used is all specific
lookups fail.

---

diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index 0eb032a..1b8dc79 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -51,15 +51,15 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
      * Priority of lookup:
      * - our.hostname@REALM or host/our.hostname@REALM depending on the input
      * - our.hostname$@REALM (AD domain)
-     * - foobar$@REALM (AD domain)
      * - host/our.hostname@REALM
+     * - foobar$@REALM (AD domain)
      * - host/foobar@REALM
      * - host/foo@BAR
      * - pick the first principal in the keytab
      */
-    const char *primary_patterns[] = {"%s", "%s$", "*$", "host/%s", "host/*",
+    const char *primary_patterns[] = {"%s", "%s$", "host/%s", "*$", "host/*",
                                       "host/*", NULL};
-    const char *realm_patterns[] =   {"%s", "%s",  "%s", "%s",      "%s",
+    const char *realm_patterns[] =   {"%s", "%s",  "%s",      "%s", "%s",
                                       NULL,     NULL};
 
     DEBUG(5, ("trying to select the most appropriate principal from keytab\n"));