From 02db43a1aede9cbafc7908333abf83680567aeca Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Thu, 12 Mar 2020 17:57:16 -0500
Subject: [PATCH] kinit: Prefer the default ccache when user_realm

If using the new --cache-default-for option, use the real default if the
principal is the best principal for the user.

A principal is the best principal for a user when the principal has just
one component, the component is the user's username, and the realm is
the configured user_realm.
---
 kuser/kinit.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/kuser/kinit.c b/kuser/kinit.c
index 367630621..0ec4eb3e7 100644
--- a/kuser/kinit.c
+++ b/kuser/kinit.c
@@ -1482,7 +1482,22 @@ main(int argc, char **argv)
     if (cred_cache) {
 	ret = krb5_cc_resolve(context, cred_cache, &ccache);
     } else if (default_for_flag) {
-        ret = krb5_cc_default_for(context, principal, &ccache);
+        char username[64];
+        char *user_realm;
+
+        if ((user_realm = get_user_realm(context)) == NULL)
+            user_realm = get_default_realm(context);
+        if (user_realm &&
+            krb5_principal_get_num_comp(context, principal) == 1 &&
+            strcmp(user_realm,
+                   krb5_principal_get_realm(context, principal)) == 0 &&
+            roken_get_username(username, sizeof(username)) &&
+            strcmp(username,
+                   krb5_principal_get_comp_string(context, principal, 0)) == 0)
+            ret = krb5_cc_default(context, &ccache);
+        else
+            ret = krb5_cc_default_for(context, principal, &ccache);
+        free(user_realm);
     } else {
 	if (argc > 1) {
 	    char s[1024];