From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 13 Sep 2019 14:04:30 +0000 (+0200)
Subject: krb5_wrap: smb_krb5_kinit_password_ccache() should always use the canonicalized principal
X-Git-Tag: talloc-2.3.1~705
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5d0bf32ec0ad21d49587e3a1520ffdc8b5ae7614;p=thirdparty%2Fsamba.git

krb5_wrap: smb_krb5_kinit_password_ccache() should always use the canonicalized principal

We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.

There's no reason to have a different logic between MIT and Heimdal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
---

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 72889fffcf0..55c17d481f4 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2114,14 +2114,12 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
 		return code;
 	}
 
-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
 	/*
 	 * We need to store the principal as returned from the KDC to the
 	 * credentials cache. If we don't do that the KRB5 library is not
 	 * able to find the tickets it is looking for
 	 */
 	principal = my_creds.client;
-#endif
 	code = krb5_cc_initialize(ctx, cc, principal);
 	if (code) {
 		goto done;