Fail from gss_acquire_cred if we have no keytab

If a caller tries to acquire krb5 acceptor creds with no desired name
and we have no keytab keys, fail from gss_acquire_cred instead of
deferring until gss_accept_sec_context.

ticket: 7159 (new)

2 files changed, 15 insertions, 0 deletions

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index c08e0597f..2bbee5fd8 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -227,6 +227,7 @@ acquire_accept_cred(krb5_context context,
     }
 
     if (desired_name != NULL) {
+        /* Make sure we keys matching the desired name in the keytab. */
         code = check_keytab(context, kt, desired_name);
         if (code) {
             krb5_kt_close(context, kt);
@@ -254,6 +255,13 @@ acquire_accept_cred(krb5_context context,
             *minor_status = code;
             return GSS_S_FAILURE;
         }
+    } else {
+        /* Make sure we have a keytab with keys in it. */
+        code = krb5_kt_have_content(context, kt);
+        if (code) {
+            *minor_status = code;
+            return GSS_S_FAILURE;
+        }
     }
 
     cred->keytab = kt;
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index 3ace215db..18123b392 100644
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -78,6 +78,13 @@ output = realm.run_as_client(['./t_imp_cred', 'service2/dwight'],
 if 'Wrong principal in request' not in output:
     fail('Expected error message not seen in t_imp_cred output')
 
+# Verify that we can't acquire acceptor creds without a keytab.
+os.remove(realm.keytab)
+output = realm.run_as_client(['./t_accname', 'abc'], expected_code=1)
+if ('gss_acquire_cred: Keytab' not in output or
+    'nonexistent or empty' not in output):
+    fail('Expected error message not seen for nonexistent keytab')
+
 realm.stop()
 
 # Re-run the last acceptor name test with ignore_acceptor_hostname set