Change in behavior for krb5_get_credentials()

Jeffrey Hutzelman jhutz at
Tue Apr 26 18:17:58 EDT 2005

On Tuesday, April 26, 2005 05:57:28 PM -0400 Sam Hartman <hartmans at> 

> 1)  Jeff's change.
> 2) Free the credentials on store error and return failure.  Add a flag
>    saying that we are prepared to accept credentials on error and use
> that in GSSAPI.
> 3) Jeff's change plus an flag saying you want store errors.  Clearly
>    document whether you get credentials on store errors. (I vote no)

I vote for option (1).

In case (3), you need to clearly document how to determine, at runtime, 
whether the credentials are valid after any particular error.  Otherwise it 
is impossible for an application to insure that it neither leaks memory nor 
attempts to free something that is invalid or already freed.

In any case, I think it is too messy for this interface to return both an 
error code _and_ valid credentials which the caller is responsible for 
freeing.  So I also vote no.

More information about the krbdev mailing list