From 76db37d833ac1c68fc6f4d1f45f4efcc95dd3bf3 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Sun, 18 Jan 2026 20:49:30 -0600
Subject: [PATCH] sanon: Do not acquire creds for GSS_C_NO_NAME

---
 lib/gssapi/sanon/acquire_cred.c |  3 +++
 lib/gssapi/sanon/add_cred.c     |  3 +++
 tests/kdc/check-fast.in         | 12 ++++++------
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/lib/gssapi/sanon/acquire_cred.c b/lib/gssapi/sanon/acquire_cred.c
index 7aedd3e26..2f978a76f 100644
--- a/lib/gssapi/sanon/acquire_cred.c
+++ b/lib/gssapi/sanon/acquire_cred.c
@@ -46,6 +46,9 @@ _gss_sanon_acquire_cred_from(OM_uint32 *minor,
 {
     *minor = 0;
 
+    if (desired_name == GSS_C_NO_NAME)
+        return GSS_S_NO_CRED;
+
     if (desired_name == GSS_C_NO_NAME ||
 	desired_name == _gss_sanon_anonymous_identity)
 	*output_cred_handle = _gss_sanon_anonymous_cred;
diff --git a/lib/gssapi/sanon/add_cred.c b/lib/gssapi/sanon/add_cred.c
index f1dfeba13..1c17f9231 100644
--- a/lib/gssapi/sanon/add_cred.c
+++ b/lib/gssapi/sanon/add_cred.c
@@ -48,6 +48,9 @@ _gss_sanon_add_cred_from(OM_uint32 *minor,
 {
     *minor = 0;
 
+    if (desired_name == GSS_C_NO_NAME)
+        return GSS_S_NO_CRED;
+
     if (output_cred_handle != NULL) {
 	if (desired_name == GSS_C_NO_NAME ||
 	    desired_name == _gss_sanon_anonymous_identity)
diff --git a/tests/kdc/check-fast.in b/tests/kdc/check-fast.in
index c2a5441df..fb0a858e9 100644
--- a/tests/kdc/check-fast.in
+++ b/tests/kdc/check-fast.in
@@ -146,8 +146,8 @@ ${kdestroy}
 
 for mech in sanon-x25519 spnego ; do
     echo "Trying ${mech} pre-authentication with FAST armor"; > messages.log
-    ${kinit} --fast-armor-cache=${acache} \
-	--anonymous --gss-mech=${mech} @$R 2>/dev/null || \
+    ${kinit} --fast-armor-cache=${acache} --anonymous \
+	--gss-mech=${mech} --gss-name=anonymous @$R 2>/dev/null  || \
 	{ ec=1 ; eval "${testfailed}"; }
 
     echo "Getting service ticket"
@@ -155,8 +155,8 @@ for mech in sanon-x25519 spnego ; do
     ${kdestroy}
 
     echo "Trying ${mech} pre-authentication with anonymous FAST armor"; > messages.log
-    ${kinit} --pk-anon-fast-armor \
-	--anonymous --gss-mech=${mech} @$R 2>/dev/null || \
+    ${kinit} --pk-anon-fast-armor --anonymous \
+	--gss-mech=${mech} --gss-name=anonymous @$R 2>/dev/null || \
 	{ ec=1 ; eval "${testfailed}"; }
 
     echo "Getting service ticket"
@@ -164,8 +164,8 @@ for mech in sanon-x25519 spnego ; do
     ${kdestroy}
 
     echo "Trying ${mech} pre-authentication with no FAST armor"; > messages.log
-    ${kinit} \
-	--anonymous --gss-mech=${mech} @$R 2>/dev/null && \
+    ${kinit} --anonymous \
+	----gss-mech=${mech} --gss-name=anonymous @$R 2>/dev/null && \
 	{ ec=1 ; eval "${testfailed}"; }
 done