if the kerberos_kinit_password() fails, the function branches to out:, skipping the zero-ing of the creds struct, so it contains uninitilized pointers that are free()-ed. attached patch just moves the zero-initial- ization up a couple lines while i have you attention, though, i'm wondering how the new key-salt- guessing code is supposed to work. in net_ads_join(), the calls to kerberos_derive_salting_principal() and kerberos_derive_cifs_salting_principals() don't use the ADS_STRUCT that the rest of the function's preceding callees do. hence, they may end up talking to a different ADS server than the one that processed the join, depending on how the KDC is resolved--especially if one's followed the advice in the Howto and not set up a [realms] entry in krb5.conf. so, unless your AD replication is a bit quicker than ours is around here, kerberos_derive_salting_principal() may eventually result in a KDC_ERR_C_PRINCIPAL_UNKNOWN being returned by the KDC--which is how i found the uninitialized-pointer-free bug, probably needless to say, but it ties this bug-report-cum-AD-info-probe together nicely
Created attachment 864 [details] almost too obvious to submit patch
looks like JRA applied: http://websvn.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0/source/libads/kerberos.c?rev=4334&r1=3495&r2=4334
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.