Skip Menu |
 

Subject: kinit can create duplicate ccache in collection with default principal
When the default cache type is collection-enabled, kinit is supposed to
look for an existing cache matching the principal for which it will
acquire tickets. This happens when an explicit principal is given, but
not when the default principal is used. For example, in the sequence:

KRB5CCNAME=DIR:/path/to/empty/directory
export KRB5CCNAME
kinit
kinit someotherprincipal
kdestroy
kinit

After kdestroy is run, the collection's primary selection is
uninitialized, and it contains a cache with tickets for $USER. "kinit
$USER" would search the collection and find that cache to put
credentials in. But because no explicit principal name was specified,
krb5_cc_cache_match() is not used, and a second cache for $USER is
initialized.

The code is currently structured to choose the output ccache first and
the principal name second, because the principal name can be taken from
the output ccache (if it exists). We will need to alter the structure
somehow to handle this case correctly.
From: ghudson@mit.edu
Subject: git commit

Improve kinit output credential cache selection

If kinit chooses a client principal based on anything other than the
current default ccache's principal name, apply collection rules if
possible. When applying collection rules, if we don't find an
existing cache for the client principal, use the default cache if it
is uninitialized, instead of creating a new one.

https://github.com/krb5/krb5/commit/d7b94742daae85329067b126d0a4bc5b2ea7e4a0
Author: Greg Hudson <ghudson@mit.edu>
Commit: d7b94742daae85329067b126d0a4bc5b2ea7e4a0
Branch: master
src/clients/kinit/kinit.c | 235 +++++++++++++++++++++++++--------------------
1 files changed, 131 insertions(+), 104 deletions(-)