1 |
jpp |
1.1 |
commit 4dc389c6ae95b7bd34e762b5362c8a79fbda7c7c |
2 |
|
|
Author: Andreas Schneider <asn@samba.org> |
3 |
|
|
Date: Wed Dec 21 22:17:22 2016 +0100 |
4 |
|
|
|
5 |
|
|
auth/credentials: Always set the the realm if we set the principal from the ccache |
6 |
|
|
|
7 |
|
|
This fixes a bug in gensec_gssapi_client_start() where an invalid realm |
8 |
|
|
is used to get a Kerberos ticket. |
9 |
|
|
|
10 |
|
|
Signed-off-by: Andreas Schneider <asn@samba.org> |
11 |
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
12 |
|
|
(cherry picked from commit 30c07065300281e3a67197fe39ed928346480ff7) |
13 |
|
|
|
14 |
|
|
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c |
15 |
|
|
index 0e68012..1912c48 100644 |
16 |
|
|
--- a/auth/credentials/credentials_krb5.c |
17 |
|
|
+++ b/auth/credentials/credentials_krb5.c |
18 |
|
|
@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred, |
19 |
|
|
enum credentials_obtained obtained, |
20 |
|
|
const char **error_string) |
21 |
|
|
{ |
22 |
|
|
- |
23 |
|
|
+ bool ok; |
24 |
|
|
+ char *realm; |
25 |
|
|
krb5_principal princ; |
26 |
|
|
krb5_error_code ret; |
27 |
|
|
char *name; |
28 |
|
|
@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred, |
29 |
|
|
return ret; |
30 |
|
|
} |
31 |
|
|
|
32 |
|
|
- cli_credentials_set_principal(cred, name, obtained); |
33 |
|
|
- |
34 |
|
|
+ ok = cli_credentials_set_principal(cred, name, obtained); |
35 |
|
|
+ if (!ok) { |
36 |
|
|
+ krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ); |
37 |
|
|
+ return ENOMEM; |
38 |
|
|
+ } |
39 |
|
|
free(name); |
40 |
|
|
|
41 |
|
|
+ realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context, |
42 |
|
|
+ princ); |
43 |
|
|
krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ); |
44 |
|
|
+ if (realm == NULL) { |
45 |
|
|
+ return ENOMEM; |
46 |
|
|
+ } |
47 |
|
|
+ ok = cli_credentials_set_realm(cred, realm, obtained); |
48 |
|
|
+ SAFE_FREE(realm); |
49 |
|
|
+ if (!ok) { |
50 |
|
|
+ return ENOMEM; |
51 |
|
|
+ } |
52 |
|
|
|
53 |
|
|
/* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */ |
54 |
|
|
cred->ccache_obtained = obtained; |