Add option to disallow getting krbtgt out from from KCM. KCM will do

the fetching part itself.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15296 ec53bebd-3082-4978-b11e-865c3cabbd6b

kcm/config.c

@@ -58,6 +58,7 @@ static const char *system_group = NULL;
 static const char *renew_life = NULL;
 static const char *ticket_life = NULL;
 
+int disallow_getting_krbtgt = -1;
 int name_constraints = -1;
 
 static int help_flag;
@@ -108,6 +109,10 @@ static struct getargs args[] = {
 	"name-constraints",	'n', arg_negative_flag, &name_constraints,
 	"disable credentials cache name constraints"
     },
+    {
+	"disallow-getting-krbtgt", 0, arg_flag, &disallow_getting_krbtgt,
+	"disable fetching krbtgt from the cache"
+    },
     {
 	"renewable-life",	'r', arg_string, &renew_life,
     	"renewable lifetime of system tickets", "time"
@@ -296,6 +301,12 @@ ccache_init_system(void)
 	ccache->mode = mode;
     }
 
+    if (disallow_getting_krbtgt == -1) {
+	disallow_getting_krbtgt =
+	    krb5_config_get_bool_default(kcm_context, NULL, FALSE, "kcm",
+					 "disallow-getting-krbtgt", NULL);
+    }
+
     /* enqueue default actions for credentials cache */
     ret = kcm_ccache_enqueue_default(kcm_context, ccache, NULL);
 

kcm/protocol.c

@@ -315,6 +315,15 @@ kcm_op_retrieve(krb5_context context,
 	return ret;
     }
 
+    if (disallow_getting_krbtgt &&
+	mcreds.client->name.name_string.len == 2 &&
+	strcmp(mcreds.client->name.name_string.val[0], KRB5_TGS_NAME) == 0)
+    {
+	free(name);
+	krb5_free_creds_contents(context, &mcreds);
+	return KRB5_FCC_PERM;
+    }
+
     ret = kcm_ccache_resolve_client(context, client, opcode,
 				    name, &ccache);
     if (ret) {