>From 370b19eab0cdb266703d5f08fb45c9eb49bfe9f7 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 19 Jun 2013 18:47:25 +0200
Subject: [PATCH 3/3] Do not switch to credentials everytime.

If user decide to kinit as another user we do not want to switch back
to user ccache at another login. We will switch to new ccache if and only
if default principal name is the same as current principal name, or there is
not any default ccache.

https://fedorahosted.org/sssd/ticket/1936
---
 src/providers/krb5/krb5_child.c | 70 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 66 insertions(+), 4 deletions(-)

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index f0ad6fe9e9befbc22f78bd82888d9100a62c4584..c27692ba6b0fd90ad15011184a2daede1f63220b 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -436,6 +436,66 @@ done:
     return kerr;
 }
 
+#ifdef HAVE_KRB5_DIRCACHE
+static bool need_switch_to_principal(krb5_context ctx, krb5_principal princ)
+{
+    krb5_error_code kerr;
+    krb5_ccache default_cc = NULL;
+    krb5_principal default_princ = NULL;
+    char *default_full_name = NULL;
+    char *full_name = NULL;
+    bool ret = false;
+
+    kerr = krb5_cc_default(ctx, &default_cc);
+    if (kerr !=0) {
+        KRB5_CHILD_DEBUG(SSSDBG_TRACE_INTERNAL, kerr);
+        goto done;
+    }
+
+    kerr = krb5_cc_get_principal(ctx, default_cc, &default_princ);
+    if (kerr == KRB5_FCC_NOFILE) {
+        /* There is not any default cache. */
+        ret = true;
+        goto done;
+    } else if (kerr != 0) {
+        KRB5_CHILD_DEBUG(SSSDBG_TRACE_INTERNAL, kerr);
+        goto done;
+    }
+
+    kerr = krb5_unparse_name(ctx, default_princ, &default_full_name);
+    if (kerr !=0) {
+        KRB5_CHILD_DEBUG(SSSDBG_TRACE_INTERNAL, kerr);
+        goto done;
+    }
+
+    kerr = krb5_unparse_name(ctx, princ, &full_name);
+    if (kerr !=0) {
+        KRB5_CHILD_DEBUG(SSSDBG_TRACE_INTERNAL, kerr);
+        goto done;
+    }
+
+    if (0 == strcmp(default_full_name, full_name)) {
+        ret = true;
+    }
+
+done:
+    if (default_cc != NULL) {
+        kerr = krb5_cc_close(ctx, default_cc);
+        if (kerr != 0) {
+            KRB5_CHILD_DEBUG(SSSDBG_OP_FAILURE, kerr);
+            goto done;
+        }
+    }
+
+    /* all functions can be safely called with NULL. */
+    krb5_free_principal(ctx, default_princ);
+    krb5_free_unparsed_name(ctx, default_full_name);
+    krb5_free_unparsed_name(ctx, full_name);
+
+    return ret;
+}
+#endif /* HAVE_KRB5_DIRCACHE */
+
 static krb5_error_code
 store_creds_in_ccache(krb5_context ctx, krb5_principal princ,
                       krb5_ccache cc, krb5_creds *creds)
@@ -466,10 +526,12 @@ store_creds_in_ccache(krb5_context ctx, krb5_principal princ,
     }
 
 #ifdef HAVE_KRB5_DIRCACHE
-    kerr = krb5_cc_switch(ctx, cc);
-    if (kerr != 0) {
-        KRB5_CHILD_DEBUG(SSSDBG_OP_FAILURE, kerr);
-        goto done;
+    if (need_switch_to_principal(ctx, princ)) {
+        kerr = krb5_cc_switch(ctx, cc);
+        if (kerr != 0) {
+            KRB5_CHILD_DEBUG(SSSDBG_OP_FAILURE, kerr);
+            goto done;
+        }
     }
 #endif /* HAVE_KRB5_DIRCACHE */
 
-- 
1.8.1.4