Skip Menu |
 

Subject: gss_acquire_cred for krb5 initiator creds should fail if no tickets exist
Prior to krb5 1.10, trying to acquire krb5 initiator creds and no desired
name would fail if there is no ccache. In krb5 1.10, this failure is
deferred until gss_init_sec_context, so that we can pick an initiator
name based on the target name before looking for creds.

However, if we have no creds available at all, we should fail
immediately, so that the application can fall back appropriately. There
are, of course, some failure cases we truly must defer until
gss_init_sec_context time (such as .k5identity specifying a client
principal we don't have creds for).

A similar issue exists for acquiring acceptor creds when you have no
keytab keys; see #7159. The fix there was to use the new
krb5_kt_have_content API; we may need a krb5_cccol_have_content API to
gracefully address this issue.
From: ghudson@mit.edu
Subject: SVN Commit

Fail from gss_acquire_cred if we have no creds

If a caller tries to acquire krb5 initiator creds with no desired name
and we have no credentials in the cache collection, fail from
gss_acquire_cred intead of deferring until gss_init_sec_context.

https://github.com/krb5/krb5/commit/cdb50c57f1852dabda4929129e1470e6b334a812
Author: Greg Hudson <ghudson@mit.edu>
Commit: cdb50c57f1852dabda4929129e1470e6b334a812
Branch: master
src/lib/gssapi/krb5/acquire_cred.c | 8 ++++++++
src/tests/gssapi/t_ccselect.py | 7 +++++++
2 files changed, 15 insertions(+), 0 deletions(-)
This change probably breaks interactive ticket acquisition on Windows.
The whole code path is going to be reworked for keytab initiation, but we
should make sure that case works before 1.11.