5 files changed, 76 insertions, 27 deletions

diff --git a/src/clients/kpasswd/kpasswd.c b/src/clients/kpasswd/kpasswd.c
index c79f2c85d..fc91bddef 100644
--- a/src/clients/kpasswd/kpasswd.c
+++ b/src/clients/kpasswd/kpasswd.c
@@ -70,6 +70,10 @@ int main(int argc, char *argv[])
         com_err(argv[0], ret, "initializing kerberos library");
         exit(1);
     }
+    if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) {
+        com_err(argv[0], ret, "allocating krb5_get_init_creds_opt");
+        exit(1);
+    }
 
     /* in order, use the first of:
        - a name specified on the command line
@@ -77,40 +81,43 @@ int main(int argc, char *argv[])
        - the name corresponding to the ruid of the process
 
        otherwise, it's an error.
+       We always attempt to open  the default ccache in order to use FAST if
+       possible.
     */
-
-    if (pname) {
-        if ((ret = krb5_parse_name(context, pname, &princ))) {
-            com_err(argv[0], ret, "parsing client name");
-            exit(1);
-        }
+    ret = krb5_cc_default(context, &ccache);
+    if (ret != 0) {
+        com_err(argv[0], ret, "opening default ccache");
+        exit(1);
+    }
+    ret = krb5_cc_get_principal(context, ccache, &princ);
+    if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) {
+        com_err(argv[0], ret, "getting principal from ccache");
+        exit(1);
     } else {
-        ret = krb5_cc_default(context, &ccache);
-        if (ret != 0) {
-            com_err(argv[0], ret, "opening default ccache");
-            exit(1);
-        }
-
-        ret = krb5_cc_get_principal(context, ccache, &princ);
-        if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) {
-            com_err(argv[0], ret, "getting principal from ccache");
+        if (princ != NULL)
+            ret = krb5_get_init_creds_opt_set_fast_ccache(context, opts, ccache);
+        else ret = 0;
+        if (ret) {
+            com_err(argv[0], ret, "while setting default ccache name");
             exit(1);
         }
-
-        ret = krb5_cc_close(context, ccache);
-        if (ret != 0) {
-            com_err(argv[0], ret, "closing ccache");
+    }
+    ret = krb5_cc_close(context, ccache);
+    if (ret != 0) {
+        com_err(argv[0], ret, "closing ccache");
+        exit(1);
+    }
+    if (pname) {
+        krb5_free_principal(context, princ);
+        princ = NULL;
+        if ((ret = krb5_parse_name(context, pname, &princ))) {
+            com_err(argv[0], ret, "parsing client name");
             exit(1);
         }
-
-        if (princ == NULL)
-            get_name_from_passwd_file(argv[0], context, &princ);
     }
+    if (princ == NULL)
+        get_name_from_passwd_file(argv[0], context, &princ);
 
-    if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) {
-        com_err(argv[0], ret, "allocating krb5_get_init_creds_opt");
-        exit(1);
-    }
     krb5_get_init_creds_opt_set_tkt_life(opts, 5*60);
     krb5_get_init_creds_opt_set_renew_life(opts, 0);
     krb5_get_init_creds_opt_set_forwardable(opts, 0);
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index f49ef95e2..c81a0f21e 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -1434,6 +1434,11 @@ typedef struct _krb5_cccol_cursor *krb5_cccol_cursor;
 #define KRB5_TC_OPENCLOSE               0x00000001
 #define KRB5_TC_NOTICKET                0x00000002
 
+/** Retrieve the name but not type of a credential cache @returns The name of
+ * the credential cache as an alias that should not be freed or modified by the
+ * caller. This name does not include the type portion, so cannot be used as
+ * input to krb5_cc_resolve().
+ */
 const char * KRB5_CALLCONV
 krb5_cc_get_name(krb5_context context, krb5_ccache cache);
 
@@ -1484,6 +1489,9 @@ krb5_cc_set_flags(krb5_context context, krb5_ccache cache, krb5_flags flags);
 krb5_error_code KRB5_CALLCONV
 krb5_cc_get_flags(krb5_context context, krb5_ccache cache, krb5_flags *flags);
 
+/** Retrive the type of a credential cache @returns The type of a credential
+ * cache as an alias that should not be modified or freed by the caller.
+ */
 const char * KRB5_CALLCONV
 krb5_cc_get_type(krb5_context context, krb5_ccache cache);
 
@@ -2329,6 +2337,15 @@ krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context,
                                              krb5_get_init_creds_opt *opt,
                                              const char *fast_ccache_name);
 
+/** Set the FAST ccache name as in
+ * krb5_get_init_creds_opt_set_fast_ccache_name() but using a krb5_ccache
+ * rather than a name
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_fast_ccache(krb5_context context,
+                                             krb5_get_init_creds_opt *opt,
+                                        krb5_ccache fast_ccache_name);
+
 /**
  * Set a ccache where resulting credentials will be stored.  If set, then the
  * krb5_get_init_creds family of APIs will write out credentials to the given
diff --git a/src/lib/krb5/krb/gic_opt.c b/src/lib/krb5/krb/gic_opt.c
index 36f4f00a1..dc7095bdc 100644
--- a/src/lib/krb5/krb/gic_opt.c
+++ b/src/lib/krb5/krb/gic_opt.c
@@ -1,6 +1,7 @@
 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
 #include "k5-int.h"
 #include "int-proto.h"
+#include "k5-buf.h"
 
 static void
 init_common(krb5_get_init_creds_opt *opt)
@@ -431,6 +432,28 @@ krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context,
 }
 
 krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_fast_ccache(
+    krb5_context context,
+    krb5_get_init_creds_opt *opt,
+    krb5_ccache ccache)
+{
+    krb5_error_code retval = 0;
+    struct k5buf buf;
+    char *cc_name;
+    krb5int_buf_init_dynamic(&buf);
+    krb5int_buf_add(&buf, krb5_cc_get_type(context, ccache));
+    krb5int_buf_add(&buf, ":");
+    krb5int_buf_add(&buf, krb5_cc_get_name(context, ccache));
+    cc_name = krb5int_buf_data(&buf);
+    if (cc_name)
+        retval =  krb5_get_init_creds_opt_set_fast_ccache_name(context, opt, cc_name);
+    else retval = ENOMEM;
+        krb5int_free_buf(&buf);
+    return retval;
+}
+
+
+krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds_opt_set_out_ccache(krb5_context context,
                                        krb5_get_init_creds_opt *opt,
                                        krb5_ccache ccache)
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index 413339b2a..b64a7dd0e 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -352,6 +352,7 @@ krb5_get_init_creds_opt_set_canonicalize
 krb5_get_init_creds_opt_set_change_password_prompt
 krb5_get_init_creds_opt_set_etype_list
 krb5_get_init_creds_opt_set_expire_callback
+krb5_get_init_creds_opt_set_fast_ccache
 krb5_get_init_creds_opt_set_fast_ccache_name
 krb5_get_init_creds_opt_set_fast_flags
 krb5_get_init_creds_opt_set_forwardable
diff --git a/src/tests/dejagnu/krb-standalone/kadmin.exp b/src/tests/dejagnu/krb-standalone/kadmin.exp
index 1eac9e339..1822bc38a 100644
--- a/src/tests/dejagnu/krb-standalone/kadmin.exp
+++ b/src/tests/dejagnu/krb-standalone/kadmin.exp
@@ -996,10 +996,11 @@ proc kadmin_test { } {
     }
 
     # now test that we can kinit with principals/passwords.
+    # We defer kdestroying until after kpasswd at least once to test FAST automatic use in kpasswd
     if {![kadmin_add testprinc1/instance thisisatest] \
 	    || ![kinit testprinc1/instance thisisatest 0] \
-	    || ![kdestroy] \
 	    || ![kpasswd_cpw testprinc1/instance thisisatest anothertest] \
+	    || ![kdestroy] \
 	    || ![kinit testprinc1/instance anothertest 0] \
 	    || ![kdestroy] \
 	    || ![kpasswd_cpw testprinc1/instance anothertest goredsox] \