lib/krb5 correctly follow KRB5_KDC_ERR_WRONG_REALM client referrals

An AS-REQ with an enterprise principal will always directed to a kdc of the local
(default) realm. The KDC directs the client into the direction of the
final realm. See rfc6806.txt.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from Samba commit fca11edc0b476f5b87b3301da32fd0409d9590c7)

diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c
index 52204ee5905d1053d3fb9ae3da1b5f125d832f38..0c55d2c4bb7aae515bf491d22b2876b32b6137e9 100644 (file)
--- a/lib/krb5/init_creds_pw.c
+++ b/lib/krb5/init_creds_pw.c
@@ -2391,6 +2391,18 @@ krb5_init_creds_step(krb5_context context,
                free_AS_REQ(&ctx->as_req);
                memset(&ctx->as_req, 0, sizeof(ctx->as_req));
 
+               if (ret)
+                   goto out;
+
+               if (krb5_principal_is_krbtgt(context, ctx->cred.server)) {
+                   ret = krb5_init_creds_set_service(context, ctx, NULL);
+                   if (ret)
+                       goto out;
+               }
+
+               free_AS_REQ(&ctx->as_req);
+               memset(&ctx->as_req, 0, sizeof(ctx->as_req));
+
                ctx->used_pa_types = 0;
 
            } else if (ret == KRB5_KDC_ERR_WRONG_REALM && ctx->flags.canonicalize) {
@@ -2495,6 +2507,15 @@ krb5_init_creds_step(krb5_context context,
        }
     }
 
+    if (ctx->as_req.req_body.cname == NULL) {
+       ret = init_as_req(context, ctx->flags, &ctx->cred,
+                         ctx->addrs, ctx->etypes, &ctx->as_req);
+       if (ret) {
+           free_init_creds_ctx(context, ctx);
+           return ret;
+       }
+    }
+
     if (ctx->as_req.padata) {
        free_METHOD_DATA(ctx->as_req.padata);
        free(ctx->as_req.padata);