From 4b479814747b69ec386d0e092f71678e6e193a75 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sun, 26 Dec 2021 03:28:41 +0200
Subject: [PATCH] Don't fail krb5_cc_select() for no default realm

If the target server principal is a host-based service without
multiple dotted components and no default realm is configured,
krb5_cc_select() can fail, and therefore gss_init_sec_context().
Continue without filling in the realm in this case.

[ghudson@mit.edu: edited commit message and comment; slightly adjusted
flow control]

ticket: 9042 (new)
---
 src/lib/krb5/ccache/ccselect.c | 23 ++++++++++++-----------
 src/tests/gssapi/t_gssapi.py   |  9 +++++++++
 2 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/src/lib/krb5/ccache/ccselect.c b/src/lib/krb5/ccache/ccselect.c
index 6c360e1002..dee4c46162 100644
--- a/src/lib/krb5/ccache/ccselect.c
+++ b/src/lib/krb5/ccache/ccselect.c
@@ -147,18 +147,19 @@ krb5_cc_select(krb5_context context, krb5_principal server,
         server->type == KRB5_NT_SRV_HST && server->length == 2) {
         ret = krb5_get_fallback_host_realm(context, &server->data[1],
                                            &fbrealms);
-        if (ret)
-            goto cleanup;
-
-        /* Make a copy with the first fallback realm. */
-        ret = krb5_copy_principal(context, server, &srvcp);
-        if (ret)
-            goto cleanup;
-        ret = krb5_set_principal_realm(context, srvcp, fbrealms[0]);
-        if (ret)
+        /* Continue without realm if we failed due to no default realm. */
+        if (ret && ret != KRB5_CONFIG_NODEFREALM)
             goto cleanup;
-
-        server = srvcp;
+        if (!ret) {
+            /* Make a copy with the first fallback realm. */
+            ret = krb5_copy_principal(context, server, &srvcp);
+            if (ret)
+                goto cleanup;
+            ret = krb5_set_principal_realm(context, srvcp, fbrealms[0]);
+            if (ret)
+                goto cleanup;
+            server = srvcp;
+        }
     }
 
     /* Consult authoritative modules first, then heuristic ones. */
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index 1740a6177a..5f093a198c 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -23,11 +23,20 @@ realm.run([kadminl, 'addprinc', '-randkey', 'service1/barack'])
 realm.run([kadminl, 'addprinc', '-randkey', 'service2/calvin'])
 realm.run([kadminl, 'addprinc', '-randkey', 'service2/dwight'])
 realm.run([kadminl, 'addprinc', '-randkey', 'host/-nomatch-'])
+realm.run([kadminl, 'addprinc', '-randkey', 'http/localhost'])
 realm.run([kadminl, 'xst', 'service1/abraham'])
 realm.run([kadminl, 'xst', 'service1/barack'])
 realm.run([kadminl, 'xst', 'service2/calvin'])
+realm.run([kadminl, 'xst', 'http/localhost'])
 realm.run([kadminl, 'renprinc', 'service1/abraham', 'service1/andrew'])
 
+# Test with no default realm and no dots in the server name.
+realm.run(['./t_accname', 'h:http@localhost'], expected_msg='http/localhost')
+remove_default = {'libdefaults': {'default_realm': None}}
+no_default = realm.special_env('no_default', False, krb5_conf=remove_default)
+realm.run(['./t_accname', 'h:http@localhost'], expected_msg='http/localhost',
+          env=no_default)
+
 # Test with no acceptor name, including client/keytab principal
 # mismatch (non-fatal) and missing keytab entry (fatal).
 realm.run(['./t_accname', 'p:service1/andrew'],
-- 
2.47.2