s4:auth: use the correct client realm in gensec_gssapi_update_internal()

The function gensec_gssapi_client_creds() may call kinit and gets
a TGT for the user. The principal provided by the user may not
be canonicalized. The user may use 'given.last@example.com'
but that may be mapped to glast@AD.EXAMPLE.PRIVATE in the background.

It means we should use client_realm = AD.EXAMPLE.PRIVATE
instead of client_realm = EXAMPLE.COM

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index afcc9e91bed42b486184ce328bfb2024449647e9..3f541885dfd2c4c50a6c2847c52ce08f2b3a2f8f 100644 (file)
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -437,8 +437,6 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
        const char *target_principal = gensec_get_target_principal(gensec_security);
        const char *hostname = gensec_get_target_hostname(gensec_security);
        const char *service = gensec_get_target_service(gensec_security);
-       const char *client_realm = cli_credentials_get_realm(cli_creds);
-       const char *server_realm = NULL;
        gss_OID gss_oid_p = NULL;
        OM_uint32 time_req = 0;
        OM_uint32 time_rec = 0;
@@ -457,6 +455,7 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
                switch (gensec_security->gensec_role) {
                case GENSEC_CLIENT:
                {
+                       const char *client_realm = NULL;
 #ifdef SAMBA4_USES_HEIMDAL
                        struct gsskrb5_send_to_kdc send_to_kdc;
                        krb5_error_code ret;
@@ -532,6 +531,7 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
                         * transitive forest trusts, would have to do the
                         * fallback ourself.
                         */
+                       client_realm = cli_credentials_get_realm(cli_creds);
 #ifndef SAMBA4_USES_HEIMDAL
                        if (gensec_gssapi_state->server_name == NULL) {
                                nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
@@ -575,6 +575,8 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
                        }
 #endif /* !SAMBA4_USES_HEIMDAL */
                        if (gensec_gssapi_state->server_name == NULL) {
+                               const char *server_realm = NULL;
+
                                server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state,
                                                                                hostname,
                                                                                client_realm);