Subject: | kinit can create duplicate ccache in collection with default principal |
When the default cache type is collection-enabled, kinit is supposed to
look for an existing cache matching the principal for which it will
acquire tickets. This happens when an explicit principal is given, but
not when the default principal is used. For example, in the sequence:
KRB5CCNAME=DIR:/path/to/empty/directory
export KRB5CCNAME
kinit
kinit someotherprincipal
kdestroy
kinit
After kdestroy is run, the collection's primary selection is
uninitialized, and it contains a cache with tickets for $USER. "kinit
$USER" would search the collection and find that cache to put
credentials in. But because no explicit principal name was specified,
krb5_cc_cache_match() is not used, and a second cache for $USER is
initialized.
The code is currently structured to choose the output ccache first and
the principal name second, because the principal name can be taken from
the output ccache (if it exists). We will need to alter the structure
somehow to handle this case correctly.
look for an existing cache matching the principal for which it will
acquire tickets. This happens when an explicit principal is given, but
not when the default principal is used. For example, in the sequence:
KRB5CCNAME=DIR:/path/to/empty/directory
export KRB5CCNAME
kinit
kinit someotherprincipal
kdestroy
kinit
After kdestroy is run, the collection's primary selection is
uninitialized, and it contains a cache with tickets for $USER. "kinit
$USER" would search the collection and find that cache to put
credentials in. But because no explicit principal name was specified,
krb5_cc_cache_match() is not used, and a second cache for $USER is
initialized.
The code is currently structured to choose the output ccache first and
the principal name second, because the principal name can be taken from
the output ccache (if it exists). We will need to alter the structure
somehow to handle this case correctly.