[krbdev.mit.edu #2137] krb5_cc_get_principal prevents implementation of auto kinit dialogs in KfM/KfW

[Jeffrey Altman via RT]

KfM and KfW both support the ability to display kinit dialogs
automatically under several circumstances:

* kclient api GetTicketGrantingTicket() when no tgt present
* krb4 krb_mk_req() call with service == "krbtgt" and no tgt present
* gssapi clients calling acquire_init_cred()
* krb5 clients calling krb5_fwd_tgt_creds() or krb5_sendauth()

However, there is a class of krb5 clients (such as sidecar, rcmd,
telnet) which all perform calls to krb5_cc_get_principal() prior to a
krb5_get_credentials() call.  The krb5_cc_get_principal() call is used
to set the client portion of the krb5_creds structure which is used to 
specify which credentials krb5_get_credentials() should obtain.

In the case where there is no ccache or no credentials in 
the ccache, krb5_cc_get_principal() returns an error which in turn 
prevents calls krb5_get_credentials, krb5_mk_req, or krb5_sendauth 
from being made.  krb5_cc_get_principal() looks like it would be a
nice place to place a hook for a kinit dialog until you realize that
krb5_cc_get_principal() is called at many times throughout the krb5
library for which we would certainly not desire a kinit dialog to
appear.

At the current time this is a limitation of what we can acheive.  
I do not have a suggestion of how to address this limitation, but
if we have time the team should attempt to address it.