1 files changed, 19 insertions, 1 deletions

diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 13a971ffa6..acac47184b 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -77,6 +77,10 @@
 #include <stdlib.h>
 #include <assert.h>
 
+/*
+ * $Id$
+ */
+
 /* XXX This is for debugging only!!!  Should become a real bitfield
    at some point */
 int krb5_gss_dbg_client_expcreds = 0;
@@ -109,11 +113,25 @@ static krb5_error_code get_credentials(context, cred, server, now,
 
     in_creds.keyblock.enctype = 0;
 
+    /*
+     * Initial iteration is necessary to catch a non-matching
+     * credential prior to looping through the GSSAPI-supported
+     * enctypes, since an enctype mismatch in the loop below will
+     * return KRB5_CC_NOTFOUND rather than one of the other error
+     * codes.
+     */
+    code = krb5_get_credentials(context, 0, cred->ccache,
+				&in_creds, out_creds);
+    if (code)
+	goto cleanup;
+    krb5_free_creds(context, *out_creds);
+    *out_creds = NULL;
     for (i = 0; enctypes[i]; i++) {
 	in_creds.keyblock.enctype = enctypes[i];
 	code = krb5_get_credentials(context, 0, cred->ccache, 
 				    &in_creds, out_creds);
-	if (code != KRB5_CC_NOT_KTYPE && code != KRB5KDC_ERR_ETYPE_NOSUPP)
+	if (code != KRB5_CC_NOT_KTYPE && code != KRB5_CC_NOTFOUND
+	    && code != KRB5KDC_ERR_ETYPE_NOSUPP)
 	    break;
     }
     if (enctypes[i] == 0) {