Fail from gss_acquire_cred if we have no creds

If a caller tries to acquire krb5 initiator creds with no desired name
and we have no credentials in the cache collection, fail from
gss_acquire_cred intead of deferring until gss_init_sec_context.

ticket: 7160

2 files changed, 15 insertions, 0 deletions

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index 2bbee5fd8..a784dd37d 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -606,6 +606,14 @@ acquire_init_cred(krb5_context context,
             return GSS_S_CRED_UNAVAIL;
         }
         cred->ccache = ccache;
+    } else {
+        /* We haven't decided on a ccache or principal yet, but fail now if
+         * there are no krb5 credentials at all. */
+        code = krb5_cccol_have_content(context);
+        if (code != 0) {
+            *minor_status = code;
+            return GSS_S_CRED_UNAVAIL;
+        }
     }
 
     /*
diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py
index a3a1330d6..5350d9209 100644
--- a/src/tests/gssapi/t_ccselect.py
+++ b/src/tests/gssapi/t_ccselect.py
@@ -45,6 +45,13 @@ refserver = 'host/' + hostname + '@'
 #r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' %
 #                  (r1.keytab, r2.keytab, ktutil)])
 
+# Verify that we can't get initiator creds with no credentials in the
+# collection.
+output = r1.run_as_client(['./t_ccselect', r1.host_princ, '-'],
+                          expected_code=1)
+if 'No Kerberos credentials available' not in output:
+    fail('Expected error not seen in output when no credentials available')
+
 # Make a directory collection and use it for client commands in both realms.
 ccdir = os.path.join(r1.testdir, 'cc')
 ccname = 'DIR:' + ccdir