auth/credentials: Always set the the realm if we set the principal from the ccache

This fixes a bug in gensec_gssapi_client_start() where an invalid realm
is used to get a Kerberos ticket.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index e974df9a0ba3c0ef9a04e3233addd7998259dc6a..a0346a265fe4ddd04af9467e3bbe117759abe50e 100644 (file)
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
                                           enum credentials_obtained obtained,
                                           const char **error_string)
 {
-       
+       bool ok;
+       char *realm;
        krb5_principal princ;
        krb5_error_code ret;
        char *name;
@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
                return ret;
        }
 
-       cli_credentials_set_principal(cred, name, obtained);
-
+       ok = cli_credentials_set_principal(cred, name, obtained);
+       if (!ok) {
+               krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
+               return ENOMEM;
+       }
        free(name);
 
+       realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
+                                            princ);
        krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
+       if (realm == NULL) {
+               return ENOMEM;
+       }
+       ok = cli_credentials_set_realm(cred, realm, obtained);
+       SAFE_FREE(realm);
+       if (!ok) {
+               return ENOMEM;
+       }
 
        /* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */
        cred->ccache_obtained = obtained;