From: Greg Hudson Date: Thu, 14 Jun 2012 18:15:05 +0000 (-0400) Subject: Fail from gss_acquire_cred if we have no creds X-Git-Tag: krb5-1.11-alpha1~500 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cdb50c57f1852dabda4929129e1470e6b334a812;p=thirdparty%2Fkrb5.git Fail from gss_acquire_cred if we have no creds If a caller tries to acquire krb5 initiator creds with no desired name and we have no credentials in the cache collection, fail from gss_acquire_cred intead of deferring until gss_init_sec_context. ticket: 7160 --- diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index 2bbee5fd82..a784dd37d9 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -606,6 +606,14 @@ acquire_init_cred(krb5_context context, return GSS_S_CRED_UNAVAIL; } cred->ccache = ccache; + } else { + /* We haven't decided on a ccache or principal yet, but fail now if + * there are no krb5 credentials at all. */ + code = krb5_cccol_have_content(context); + if (code != 0) { + *minor_status = code; + return GSS_S_CRED_UNAVAIL; + } } /* diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py index a3a1330d6a..5350d92090 100644 --- a/src/tests/gssapi/t_ccselect.py +++ b/src/tests/gssapi/t_ccselect.py @@ -45,6 +45,13 @@ refserver = 'host/' + hostname + '@' #r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' % # (r1.keytab, r2.keytab, ktutil)]) +# Verify that we can't get initiator creds with no credentials in the +# collection. +output = r1.run_as_client(['./t_ccselect', r1.host_princ, '-'], + expected_code=1) +if 'No Kerberos credentials available' not in output: + fail('Expected error not seen in output when no credentials available') + # Make a directory collection and use it for client commands in both realms. ccdir = os.path.join(r1.testdir, 'cc') ccname = 'DIR:' + ccdir