gensec_krb5: Match behaviour of gensec_gssapi for password-based keytabs

This allows the winbind.pac.krb5 test to pass against the s3member environment, which uses the password from secrets.tdb.

Andrew Bartlett

Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index c34c43425e48e53174629ac1590e3ff2568a74d0..a81dfc37510ea832dadf116ce79f9e37c6ef12b2 100644 (file)
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -591,6 +591,16 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
                        return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
                }
 
+               if (keytab->password_based || obtained < CRED_SPECIFIED) {
+                       /* 
+                        * Use match-by-key in this case (matches
+                        * cli_credentials_get_server_gss_creds()
+                        * behaviour).  No need to free the memory,
+                        * this is handled with a talloc destructor.
+                        */
+                       server_in_keytab = NULL;
+               }
+
                /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
                if (gensec_krb5_state->gssapi
                    && gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {