heimdal:lib/krb5: correctly follow KRB5_KDC_ERR_WRONG_REALM client referrals

An AS-REQ with an enterprise principal will always directed to a kdc of the local
(default) realm. The KDC directs the client into the direction of the
final realm. See rfc6806.txt.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 21 insertions, 0 deletions

diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c
index 6c874126ab5..b6c0a643e95 100644
--- a/source4/heimdal/lib/krb5/init_creds_pw.c
+++ b/source4/heimdal/lib/krb5/init_creds_pw.c
@@ -1798,6 +1798,18 @@ krb5_init_creds_step(krb5_context context,
 					       ctx->cred.client,
 					       *ctx->error.crealm);
 
+		if (ret)
+		    goto out;
+
+		if (krb5_principal_is_krbtgt(context, ctx->cred.server)) {
+		    ret = krb5_init_creds_set_service(context, ctx, NULL);
+		    if (ret)
+			goto out;
+		}
+
+		free_AS_REQ(&ctx->as_req);
+		memset(&ctx->as_req, 0, sizeof(ctx->as_req));
+
 		ctx->used_pa_types = 0;
 	    }
 	    if (ret)
@@ -1805,6 +1817,15 @@ krb5_init_creds_step(krb5_context context,
 	}
     }
 
+    if (ctx->as_req.req_body.cname == NULL) {
+	ret = init_as_req(context, ctx->flags, &ctx->cred,
+			  ctx->addrs, ctx->etypes, &ctx->as_req);
+	if (ret) {
+	    free_init_creds_ctx(context, ctx);
+	    return ret;
+	}
+    }
+
     if (ctx->as_req.padata) {
 	free_METHOD_DATA(ctx->as_req.padata);
 	free(ctx->as_req.padata);