From da05a099678b7a207654afb1f6216923c83dff7c Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 26 Mar 2025 16:49:01 +0000
Subject: [PATCH] daemon: Remove any previous credentials

Otherwise krb5 will append all credentials, but Heimdal only seems to
read the first (eventually) expired ticket.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/pakfire/daemon.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/pakfire/daemon.c b/src/pakfire/daemon.c
index 3e76ad1f..4d10005c 100644
--- a/src/pakfire/daemon.c
+++ b/src/pakfire/daemon.c
@@ -1009,6 +1009,15 @@ static int pakfire_daemon_auth(sd_event_source* s, uint64_t usec, void* data) {
 	DEBUG(daemon->ctx, "Successfully fetched credentials\n");
 	DEBUG(daemon->ctx, "  Expires: %s\n", time);
 
+	// Remove any previous credentials
+	r = krb5_cc_remove_cred(daemon->krb5.ctx, daemon->krb5.ccache, 0, &creds);
+	if (r) {
+		error = krb5_get_error_message(daemon->krb5.ctx, r);
+
+		ERROR(daemon->ctx, "Failed to remove credentials: %s\n", error);
+		goto ERROR;
+	}
+
 	// Store the credentials in the cache
 	r = krb5_cc_store_cred(daemon->krb5.ctx, daemon->krb5.ccache, &creds);
 	if (r) {
-- 
2.39.5