From 937ad9d2a00d1b993d37ff5801fd301eccd87556 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 27 Mar 2019 17:07:05 +0100
Subject: credentials: Initialize krb5 client to retrieve creds from ccache

MIT kerberos require krb5_creds.client to be initialized to match
krb5_creds.server with the cached credentials.

Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 auth/credentials/credentials_krb5.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'auth')

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index d8ca6d97115..901c573c655 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -406,6 +406,21 @@ _PUBLIC_ bool cli_credentials_failed_kerberos_login(struct cli_credentials *cred
 		return false;
 	}
 
+	/* MIT kerberos requires creds.client to match against cached
+	 * credentials */
+	ret = krb5_cc_get_principal(ccc->smb_krb5_context->krb5_context,
+				    ccc->ccache,
+				    &creds.client);
+	if (ret != 0) {
+		krb5_free_cred_contents(ccc->smb_krb5_context->krb5_context,
+					&creds);
+		DBG_ERR("krb5_cc_get_principal failed: %s\n",
+			smb_get_krb5_error_message(
+				ccc->smb_krb5_context->krb5_context,
+				ret, ccc));
+		return false;
+	}
+
 	ret = krb5_cc_retrieve_cred(ccc->smb_krb5_context->krb5_context, ccc->ccache, KRB5_TC_MATCH_SRV_NAMEONLY, &creds, &creds2);
 	if (ret != 0) {
 		/* don't retry - we didn't find these credentials to remove */
-- 
cgit v1.2.1