* Do not perform ticket importing if the initial TGT is not available

   from the MSLSA krb5_ccache.  This will be the case if the session key
   enctype is NULL.  (AllowTGTSessionKey regkey = 0)

ticket: new
target: 1.3.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15994 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 48 insertions, 2 deletions

diff --git a/src/windows/ms2mit/ChangeLog b/src/windows/ms2mit/ChangeLog
index 71577d979d..d7ac6af443 100644
--- a/src/windows/ms2mit/ChangeLog
+++ b/src/windows/ms2mit/ChangeLog
@@ -1,3 +1,9 @@
+2004-01-31  Jeffrey Altman <jaltman@mit.edu>
+
+    * ms2mit.c: Do not allow ticket importing of the Initial TGT cannot
+      be obtained.  The MSLSA krb5_ccache will not export the Initial TGT
+      if the session key enctype is NULL.  
+
 2003-12-11  Jeffrey Altman <jaltman@mit.edu>
 
     * ms2mit.c, Makefile.in:
diff --git a/src/windows/ms2mit/ms2mit.c b/src/windows/ms2mit/ms2mit.c
index 4674a4b712..3d3809e6a5 100644
--- a/src/windows/ms2mit/ms2mit.c
+++ b/src/windows/ms2mit/ms2mit.c
@@ -39,36 +39,76 @@ main(
     krb5_error_code code;
     krb5_ccache ccache=NULL;
     krb5_ccache mslsa_ccache=NULL;
-    krb5_get_init_creds_opt opts;
     krb5_principal princ;
+    int initial_ticket = 0;
 
     if (code = krb5_init_context(&kcontext)) {
         com_err(argv[0], code, "while initializing kerberos library");
         exit(1);
     }
-    krb5_get_init_creds_opt_init(&opts);
   
     if (code = krb5_cc_resolve(kcontext, "MSLSA:", &mslsa_ccache)) {
         com_err(argv[0], code, "while opening MS LSA ccache");
+        krb5_free_context(kcontext);
+        exit(1);
+    }
+
+    /* Enumerate tickets from cache looking for an initial ticket */
+    if ((code = krb5_cc_start_seq_get(kcontext, mslsa_ccache, &cursor))) {
+        com_err(argv[0], code, "while initiating the cred sequence of MS LSA ccache");
+        krb5_cc_close(kcontext, mslsa_ccache);
+        krb5_free_context(kcontext);
+        exit(1);
+    }
+
+    while (!(code = krb5_cc_next_cred(kcontext, mslsa_ccache, &cursor, &creds))) 
+    {
+        if ( creds.ticket_flags & TKT_FLG_INITIAL ) {
+            krb5_free_cred_contents(kcontext, &creds);
+            initial_ticket = 1;
+            break;
+        }
+        krb5_free_cred_contents(kcontext, &creds);
+    }
+    krb5_cc_end_seq_get(kcontext, mslsa_ccache, &cursor);
+
+    if ( !initial_ticket ) {
+        fprintf(stderr, "%s: Initial Ticket Getting Tickets are not available from the MS LSA\n",
+                argv[0]);
+        krb5_cc_close(kcontext, mslsa_ccache);
+        krb5_free_context(kcontext);
         exit(1);
     }
 
     if (code = krb5_cc_get_principal(kcontext, mslsa_ccache, &princ)) {
         com_err(argv[0], code, "while obtaining MS LSA principal");
+        krb5_cc_close(kcontext, mslsa_ccache);
+        krb5_free_context(kcontext);
         exit(1);
     }
 
     if (code = krb5_cc_default(kcontext, &ccache)) {
         com_err(argv[0], code, "while getting default ccache");
+        krb5_free_principal(kcontext, princ);
+        krb5_cc_close(kcontext, mslsa_ccache);
+        krb5_free_context(kcontext);
         exit(1);
     }
     if (code = krb5_cc_initialize(kcontext, ccache, princ)) {
         com_err (argv[0], code, "when initializing ccache");
+        krb5_free_principal(kcontext, princ);
+        krb5_cc_close(kcontext, mslsa_ccache);
+        krb5_cc_close(kcontext, ccache);
+        krb5_free_context(kcontext);
         exit(1);
     }
 
     if (code = krb5_cc_copy_creds(kcontext, mslsa_ccache, ccache)) {
         com_err (argv[0], code, "while copying MS LSA ccache to default ccache");
+        krb5_free_principal(kcontext, princ);
+        krb5_cc_close(kcontext, ccache);
+        krb5_cc_close(kcontext, mslsa_ccache);
+        krb5_free_context(kcontext);
         exit(1);
     }