- /* if it's mds service principal, check hostname */
- if (lgss_krb5_strcmp(krb5_princ_name(ctx, princ),
- LGSS_SVC_MDS_STR) == 0) {
- if (svc_princ_is_local_host(ctx, princ, LL_WARN)) {
- logmsg(LL_WARN, "mds service principal not belongs "
- "to this node\n");
+ /* check principal name */
+ switch (flag) {
+ case LGSS_ROOT_CRED_ROOT:
+ princ_name = LGSS_USR_ROOT_STR;
+ break;
+ case LGSS_ROOT_CRED_MDT:
+ princ_name = LGSS_SVC_MDS_STR;
+ break;
+ case LGSS_ROOT_CRED_OST:
+ princ_name = LGSS_SVC_OSS_STR;
+ break;
+ default:
+ lassert(0);
+ }
+
+ if (lgss_krb5_strcmp(krb5_princ_name(ctx, princ), princ_name)) {
+ logmsg(LL_WARN, "%.*s: we expect %s instead\n",
+ krb5_princ_name(ctx, princ)->length,
+ krb5_princ_name(ctx, princ)->data,
+ princ_name);
+ return -1;
+ }
+
+ /*
+ * verify the hostname part of the principal, except we do allow
+ * lustre_root without binding to a host.
+ */
+ if (krb5_princ_component(ctx, princ, 1) == NULL) {
+ if (flag != LGSS_ROOT_CRED_ROOT) {
+ logmsg(LL_WARN, "%.*s: missing hostname\n",
+ krb5_princ_name(ctx, princ)->length,
+ krb5_princ_name(ctx, princ)->data);