If IAKERB is used with no TGT, return KRB5_CC_NOTFOUND instead of

going fruitlessly into the AS code path and returning EINVAL.  Also
better handle the case where service credentials exist but are of an
unsupported enctype.  Make a note that we aren't as consistent as we
would like to be in the case where the TGT exists but has expired.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/iakerb@23948 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index 3ae4f3bb2a2d39869bb9ad54a672a5fa2224bba4..ad98dad6e3aef7ac99a655c6b16ec18d32ac08b8 100644 (file)
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -707,7 +707,7 @@ iakerb_get_initial_state(iakerb_ctx_id_t ctx,
     code = krb5_get_credentials(ctx->k5c, KRB5_GC_CACHED,
                                 cred->ccache,
                                 &in_creds, &out_creds);
-    if (code == KRB5_CC_NOTFOUND) {
+    if (code == KRB5_CC_NOTFOUND || code == KRB5_CC_NOT_KTYPE) {
         krb5_principal tgs;
         krb5_data *realm = krb5_princ_realm(ctx->k5c, in_creds.client);
 
@@ -726,10 +726,14 @@ iakerb_get_initial_state(iakerb_ctx_id_t ctx,
 
         in_creds.server = tgs;
 
+        /* It would be nice if we could return KRB5KRB_AP_ERR_TKT_EXPIRED if
+         * the TGT is expired, for consistency with the krb5 mech.  As it
+         * stands, we won't see the expired TGT and will return
+         * KRB5_CC_NOTFOUND. */
         code = krb5_get_credentials(ctx->k5c, KRB5_GC_CACHED,
                                     cred->ccache,
                                     &in_creds, &out_creds);
-        if (code == KRB5_CC_NOTFOUND) {
+        if (code == KRB5_CC_NOTFOUND && cred->password.data != NULL) {
             *state = IAKERB_AS_REQ;
             code = 0;
         } else if (code == 0) {