From c80cbf2f2cca3f32d4e3fd4df9eb6aa0f216f25a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 21 Dec 2016 22:17:22 +0100
Subject: [PATCH] auth/credentials: Always set the the realm if we set the
 principal from the ccache

This fixes a bug in gensec_gssapi_client_start() where an invalid realm
is used to get a Kerberos ticket.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 30c07065300281e3a67197fe39ed928346480ff7)
---
 auth/credentials/credentials_krb5.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 0e68012..1912c48 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
 					   enum credentials_obtained obtained,
 					   const char **error_string)
 {
-	
+	bool ok;
+	char *realm;
 	krb5_principal princ;
 	krb5_error_code ret;
 	char *name;
@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
 		return ret;
 	}
 
-	cli_credentials_set_principal(cred, name, obtained);
-
+	ok = cli_credentials_set_principal(cred, name, obtained);
+	if (!ok) {
+		krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
+		return ENOMEM;
+	}
 	free(name);
 
+	realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
+					     princ);
 	krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
+	if (realm == NULL) {
+		return ENOMEM;
+	}
+	ok = cli_credentials_set_realm(cred, realm, obtained);
+	SAFE_FREE(realm);
+	if (!ok) {
+		return ENOMEM;
+	}
 
 	/* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */
 	cred->ccache_obtained = obtained;
-- 
2.9.3