Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) Subject: gss_acquire_cred for krb5 initiator creds should fail if no tickets exist X-RT-Original-Encoding: iso-8859-1 Content-Length: 809 Prior to krb5 1.10, trying to acquire krb5 initiator creds and no desired name would fail if there is no ccache. In krb5 1.10, this failure is deferred until gss_init_sec_context, so that we can pick an initiator name based on the target name before looking for creds. However, if we have no creds available at all, we should fail immediately, so that the application can fall back appropriately. There are, of course, some failure cases we truly must defer until gss_init_sec_context time (such as .k5identity specifying a client principal we don't have creds for). A similar issue exists for acquiring acceptor creds when you have no keytab keys; see #7159. The fix there was to use the new krb5_kt_have_content API; we may need a krb5_cccol_have_content API to gracefully address this issue.