From b5020bc839a8260b0148b0b5ba07b82cf88d654b Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Sep 25 2013 12:08:53 +0000
Subject: krb5: Be more lenient on failures for old ccache


Fix a check for an error return code that can be returned when
the ccache is not found.

Even in case of other errors still do not fail authentication
but allow it to proceed using a new ccache file if necessary.

Related:
https://fedorahosted.org/sssd/ticket/2053

---

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index b373cb4..52e230c 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -608,7 +608,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
             } else if (ret != EOK) {
                 DEBUG(SSSDBG_CRIT_FAILURE,
                       ("check_if_ccache_file_is_used failed.\n"));
-                goto done;
+                ccache_file = NULL;
             }
         } else {
             kr->active_ccache = false;
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
index 7cf510c..ba58740 100644
--- a/src/providers/krb5/krb5_utils.c
+++ b/src/providers/krb5/krb5_utils.c
@@ -1092,7 +1092,7 @@ errno_t sss_krb5_cc_verify_ccache(const char *ccname, uid_t uid, gid_t gid,
     kerr = krb5_cc_retrieve_cred(cc->context, cc->ccache,
                                  KRB5_TC_MATCH_TIMES, &mcred, &cred);
     if (kerr) {
-        if (kerr == KRB5_CC_NOTFOUND) {
+        if (kerr == KRB5_CC_NOTFOUND || KRB5_FCC_NOFILE) {
             DEBUG(SSSDBG_TRACE_INTERNAL, ("TGT not found or expired.\n"));
             ret = EINVAL;
         } else {