commit 891bf46cd23dbbb24188456aad29ac0ead2bc31f
Author: Doug Nazar <nazard.michi@gmail.com>
Date:   Sat Jul 3 23:12:27 2010 -0400

    When not using machine credentials for root, if the machine
    credential cache file is newer than the root credential file
    the wrong file will get picked. Ignore the machine file in this
    case.

diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index dccbeb6..d23654f 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -224,6 +224,13 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, struct dirent **d)
 				free(namelist[i]);
 				continue;
 			}
+			if (uid == 0 && !root_uses_machine_creds && 
+				strstr(namelist[i]->d_name, "_machine_")) {
+				printerr(3, "CC file '%s' not available to root\n",
+					 statname);
+				free(namelist[i]);
+				continue;
+			}
 			if (!query_krb5_ccache(buf, &princname, &realm)) {
 				printerr(3, "CC file '%s' is expired or corrupt\n",
 					 statname);