Restore krb5_get_credentials caching for referral requests

The krb5_get_credentials() rewrite for IAKERB accidentally omitted the
final step of restoring the requested realm in the output credentials.
As a result, referral entries are not cached, and the caller sees the
actual realm in (*out_creds)->server instead of the referral realm as
before.  Fix this in complete() by swapping ctx->req_server into
ctx->reply_creds->server.

ticket: 6916
target_version: 1.9.2
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24945 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 5 insertions, 0 deletions

diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
index afa34c2d8c..0f03d427c9 100644
--- a/src/lib/krb5/krb/get_creds.c
+++ b/src/lib/krb5/krb/get_creds.c
@@ -419,6 +419,11 @@ complete(krb5_context context, krb5_tkt_creds_context ctx)
 {
     TRACE_TKT_CREDS_COMPLETE(context, ctx->reply_creds->server);
 
+    /* Put the requested server principal in the output creds. */
+    krb5_free_principal(context, ctx->reply_creds->server);
+    ctx->reply_creds->server = ctx->req_server;
+    ctx->req_server = NULL;
+
     /* Note the authdata we asked for in the output creds. */
     ctx->reply_creds->authdata = ctx->authdata;
     ctx->authdata = NULL;