--- loncom/auth/lonauth.pm	2017/08/08 17:01:25	1.145
+++ loncom/auth/lonauth.pm	2017/08/08 18:12:18	1.146
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # User Authentication Module
 #
-# $Id: lonauth.pm,v 1.145 2017/08/08 17:01:25 raeburn Exp $
+# $Id: lonauth.pm,v 1.146 2017/08/08 18:12:18 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -478,38 +478,53 @@ sub handler {
 	if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'},$sudomref)) {
 # ---------------------------------------------------- see if the su-user exists
 	    unless (&Apache::lonnet::homeserver($suname,$sudom) eq 'no_host') {
-		&Apache::lonnet::logthis(&Apache::lonnet::homeserver($suname,$sudom));
 # ------------------------------ see if the su-user is not too highly privileged
-		unless (&Apache::lonnet::privileged($suname,$sudom)) {
+		if (&Apache::lonnet::privileged($suname,$sudom)) {
+                    &Apache::lonnet::logthis('Attempted switch user to privileged user');
+                } else {
+                    my $noprivswitch;
 #
 # su-user's home server and user's home server must have one of:
 # (a) same internet dom
 # (b) same primary library server for home server's domain
 # (c) same "internet domain" for primary library server for home server's domain
 #
+                    my $uprim = &Apache::lonnet::domain($sudom,'primary');
+                    my $uintdom = &Apache::lonnet::internet_dom($uprim);
                     unless ($sudom eq $form{'udom'}) {
                         my $suprim = &Apache::lonnet::domain($sudom,'primary');
-                        my $uprim = &Apache::lonnet::domain($sudom,'primary');
+                        my $suintdom = &Apache::lonnet::internet_dom($suprim);
                         unless ($suprim eq $uprim) {
-                            my $suintdom = &Apache::lonnet::internet_dom($suprim);
-                            my $uintdom = &Apache::lonnet::internet_dom($uprim);
                             unless ($suintdom eq $uintdom) {
                                 &Apache::lonnet::logthis('Attempted switch user '
-                                                         .'to privileged user');                        
+                                   .'to user with different "internet domain".');                        
+                                $noprivswitch = 1;
                             }
                         }
                     }
 
+                    unless ($noprivswitch) {
+#
+# server where log-in occurs must have same "internet domain" as su-user's home
+# server
+#
+                        my $lonhost = $r->dir_config('lonHostID');
+                        my $hostintdom = &Apache::lonnet::internet_dom($lonhost);
+                        if ($hostintdom ne $uintdom) {
+                            &Apache::lonnet::logthis('Attempted switch user on a '
+                                .'server with a different "internet domain".'); 
+                        } else {
+
 # -------------------------------------------------------- actually switch users
 
-		    &Apache::lonnet::logperm('User '.$form{'uname'}.' at '.$form{'udom'}.
-			' logging in as '.$suname.':'.$sudom);
-		    $form{'uname'}=$suname;
-                    if ($form{'udom'} ne $sudom) {
-                        $form{'udom'}=$sudom;
+		            &Apache::lonnet::logperm('User '.$form{'uname'}.' at '.
+                              $form{'udom'}.' logging in as '.$suname.':'.$sudom);
+		            $form{'uname'}=$suname;
+                            if ($form{'udom'} ne $sudom) {
+                                $form{'udom'}=$sudom;
+                            }
+                        }
                     }
-		} else {
-		    &Apache::lonnet::logthis('Attempted switch user to privileged user');
 		}
 	    }
 	} else {