From 30bc289aac00d1012e405c632017f14b657626b9 Mon Sep 17 00:00:00 2001
From: yixiangzhike <yixiangzhike007@163.com>
Date: Sun, 22 Feb 2026 15:24:14 +0800
Subject: [PATCH] Try to obtain new cred if the cred from rpc.gssd or other
 apps is defective.

Rpc.gssd or other applications may use the cache configured with default_ccache_name(krb5. conf). If the cache file of gssproxy (cred_store=ccache: FILE: xxxxxx) is deleted, the gssproxy service returns an empty credential when processing a GSSX_ARG-ACQUIRE_CRED request, unless the user clears the default_ccache_name cache. However, users may not even be aware of the existence of the default_ccache_name cache. In this situation, it may be better for gssproxy to try to obtain new credentials.

Signed-off-by: yixiangzhike <yixiangzhike007@163.com>
---
 src/gp_creds.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/gp_creds.c b/src/gp_creds.c
index acc248af4..17855b8ec 100644
--- a/src/gp_creds.c
+++ b/src/gp_creds.c
@@ -634,7 +634,8 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
         if (ret_maj == GSS_S_COMPLETE) {
             return GSS_S_COMPLETE;
         } else if (ret_maj == GSS_S_CREDENTIALS_EXPIRED ||
-                   ret_maj == GSS_S_NO_CRED) {
+                   ret_maj == GSS_S_NO_CRED || 
+                   ret_maj == GSS_S_DEFECTIVE_CREDENTIAL) {
             /* continue and try to obtain new creds */
             ret_maj = 0;
             ret_min = 0;