Subject: | gss_acquire_cred for krb5 initiator creds should fail if no tickets exist |
Prior to krb5 1.10, trying to acquire krb5 initiator creds and no desired
name would fail if there is no ccache. In krb5 1.10, this failure is
deferred until gss_init_sec_context, so that we can pick an initiator
name based on the target name before looking for creds.
However, if we have no creds available at all, we should fail
immediately, so that the application can fall back appropriately. There
are, of course, some failure cases we truly must defer until
gss_init_sec_context time (such as .k5identity specifying a client
principal we don't have creds for).
A similar issue exists for acquiring acceptor creds when you have no
keytab keys; see #7159. The fix there was to use the new
krb5_kt_have_content API; we may need a krb5_cccol_have_content API to
gracefully address this issue.
name would fail if there is no ccache. In krb5 1.10, this failure is
deferred until gss_init_sec_context, so that we can pick an initiator
name based on the target name before looking for creds.
However, if we have no creds available at all, we should fail
immediately, so that the application can fall back appropriately. There
are, of course, some failure cases we truly must defer until
gss_init_sec_context time (such as .k5identity specifying a client
principal we don't have creds for).
A similar issue exists for acquiring acceptor creds when you have no
keytab keys; see #7159. The fix there was to use the new
krb5_kt_have_content API; we may need a krb5_cccol_have_content API to
gracefully address this issue.