Fail from gss_acquire_cred if we have no creds

If a caller tries to acquire krb5 initiator creds with no desired name and we have no credentials in the cache collection, fail from gss_acquire_cred intead of deferring until gss_init_sec_context. ticket: 7160
krb5 · Jun 15, 2012 · cdb50c5 · cdb50c5
1 parent 85afc74
commit cdb50c5
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
@@ -606,6 +606,14 @@ acquire_init_cred(krb5_context context,
             return GSS_S_CRED_UNAVAIL;
         }
         cred->ccache = ccache;
+    } else {
+        /* We haven't decided on a ccache or principal yet, but fail now if
+         * there are no krb5 credentials at all. */
+        code = krb5_cccol_have_content(context);
+        if (code != 0) {
+            *minor_status = code;
+            return GSS_S_CRED_UNAVAIL;
+        }
     }
 
     /*

diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py
@@ -45,6 +45,13 @@
 #r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' %
 #                  (r1.keytab, r2.keytab, ktutil)])
 
+# Verify that we can't get initiator creds with no credentials in the
+# collection.
+output = r1.run_as_client(['./t_ccselect', r1.host_princ, '-'],
+                          expected_code=1)
+if 'No Kerberos credentials available' not in output:
+    fail('Expected error not seen in output when no credentials available')
+
 # Make a directory collection and use it for client commands in both realms.
 ccdir = os.path.join(r1.testdir, 'cc')
 ccname = 'DIR:' + ccdir