From d1d900034f77e62ec19751a0672dc8ec1e6eeef2 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Mon, 25 May 2020 14:07:05 -0500
Subject: [PATCH] kinit: Make default-for-princ behavior optional

We can't just default to useing the krb5_cc_default_for() ccache for a
principal -- that breaks a number of uses of kinit.
---
 kuser/kinit.1         | 28 ++++++++++++++++++++++++++++
 kuser/kinit.c         | 22 +++++++++++++++++-----
 tests/kdc/check-cc.in |  4 ++--
 3 files changed, 47 insertions(+), 7 deletions(-)

diff --git a/kuser/kinit.1 b/kuser/kinit.1
index da571768a..8005a7b97 100644
--- a/kuser/kinit.1
+++ b/kuser/kinit.1
@@ -40,6 +40,7 @@
 .Sh SYNOPSIS
 .Nm kinit
 .Op Fl Fl no-change-default
+.Op Fl Fl default-for-principal
 .Op Fl Fl afslog
 .Oo Fl c Ar cachename \*(Ba Xo
 .Fl Fl cache= Ns Ar cachename
@@ -114,6 +115,32 @@ the name of the principal whose credentials are stored therein.  This
 option is ignored if the
 .Fl c Ar cachename | Fl Fl cache= Ns Ar cachename
 option is given.
+See also
+.Xr kswitch 1 .
+.It Fl Fl default-for-principal
+If this option is given and
+.Fl c Ar cachename | Fl Fl cache= Ns Ar cachename
+is not given, then the cache that will be used will be one that
+is appropriate for the client principal.  For example, if the
+default cache type is
+.Ar FILE
+then the default cache may be either
+.Ar FILE:/tmp/krb5cc_%{uid}+%{principal_name}
+or
+.Ar FILE:/tmp/krb5cc_%{uid}
+if the principal is the default principal for the user, meaning
+that it is of rht form
+.Ar ${USER}@${user_realm}
+or
+.Ar ${USER}@${default_realm} .
+This option implies
+.Fl Fl no-change-default
+unless
+.Fl Fl change-default
+is given.  Caches for the user can be listed with the
+.Fl l
+option to
+.Xr klist 1 .
 .It Fl f Fl Fl forwardable
 Obtain a ticket than can be forwarded to another host.
 .It Fl F Fl Fl no-forwardable
@@ -253,6 +280,7 @@ the default being
 .Sh SEE ALSO
 .Xr kdestroy 1 ,
 .Xr klist 1 ,
+.Xr kswitch 1 ,
 .Xr krb5_appdefault 3 ,
 .Xr krb5.conf 5
 .\".Sh STANDARDS
diff --git a/kuser/kinit.c b/kuser/kinit.c
index c08ae4a65..2a0c24333 100644
--- a/kuser/kinit.c
+++ b/kuser/kinit.c
@@ -64,7 +64,8 @@ char *server_str	= NULL;
 static krb5_principal tgs_service;
 char *cred_cache	= NULL;
 char *start_str		= NULL;
-static int switch_cache_flags = 1;
+static int switch_cache_flags = -1;
+static int default_for = 0;
 struct getarg_strings etype_str;
 int use_keytab		= 0;
 char *keytab_str	= NULL;
@@ -191,6 +192,9 @@ static struct getargs args[] = {
     { "change-default",  0,  arg_negative_flag, &switch_cache_flags,
       NP_("switch the default cache to the new credentials cache", ""), NULL },
 
+    { "default-for-principal",  0,  arg_negative_flag, &default_for,
+      NP_("use a default cache appropriate for the client principal name", ""), NULL },
+
     { "ok-as-delegate",	0,  arg_flag, &ok_as_delegate_flag,
       NP_("honor ok-as-delegate on tickets", ""), NULL },
 
@@ -1364,7 +1368,6 @@ main(int argc, char **argv)
 #endif
     krb5_boolean unique_ccache = FALSE;
     krb5_boolean historical_anon_pkinit = FALSE;
-    krb5_boolean default_for = FALSE;
     int anonymous_pkinit = FALSE;
 
     setprogname(argv[0]);
@@ -1493,11 +1496,19 @@ main(int argc, char **argv)
                  krb5_cc_get_name(context, ccache));
         setenv("KRB5CCNAME", s, 1);
         unique_ccache = TRUE;
-    } else {
+    } else if (default_for) {
         ret = krb5_cc_default_for(context, principal, &ccache);
-        default_for = TRUE;
+        if (switch_cache_flags == -1)
+            switch_cache_flags = 0;
+    } else {
+        ret = krb5_cc_default(context, &ccache);
+        if (switch_cache_flags == -1)
+            switch_cache_flags = 0;
     }
 
+    if (switch_cache_flags == -1)
+        switch_cache_flags = 1;
+
     if (ret)
 	krb5_err(context, 1, ret, N_("resolving credentials cache", ""));
 
@@ -1535,7 +1546,8 @@ main(int argc, char **argv)
 
     if (renew_flag || validate_flag) {
 	ret = renew_validate(context, renew_flag, validate_flag,
-                             &ccache, principal, default_for, server_str,
+                             &ccache, principal,
+                             default_for ? TRUE : FALSE, server_str,
                              ticket_life);
 
 #ifndef NO_AFS
diff --git a/tests/kdc/check-cc.in b/tests/kdc/check-cc.in
index e69621523..ce95b3006 100644
--- a/tests/kdc/check-cc.in
+++ b/tests/kdc/check-cc.in
@@ -139,8 +139,8 @@ export KRB5_CONFIG
 unset KRB5CCNAME
 rm -rf ${objdir}/kt ${objdir}/cc_dir
 mkdir ${objdir}/cc_dir || { ec=1 ; eval "${testfailed}"; }
-${kinit} foo@${R} || { ec=1 ; eval "${testfailed}"; }
-${kinit} --no-change-default bar@${R} || { ec=1 ; eval "${testfailed}"; }
+${kinit} --default-for-principal foo@${R} || { ec=1 ; eval "${testfailed}"; }
+${kinit} --default-for-principal --no-change-default bar@${R} || { ec=1 ; eval "${testfailed}"; }
 primary=`cat ${objdir}/cc_dir/primary`
 [ "x$primary" = xtkt.foo@${R} ] || { ec=1 ; eval "${testfailed}"; }
 ${klist} -l |