gensec_krb5: Match behaviour of gensec_gssapi for password-based keytabs

This allows the winbind.pac.krb5 test to pass against the s3member environment, which uses the password from secrets.tdb.

Andrew Bartlett

Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 10 insertions, 0 deletions

diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index c34c43425e..a81dfc3751 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -591,6 +591,16 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
 			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 		}
 
+		if (keytab->password_based || obtained < CRED_SPECIFIED) {
+			/* 
+			 * Use match-by-key in this case (matches
+			 * cli_credentials_get_server_gss_creds()
+			 * behaviour).  No need to free the memory,
+			 * this is handled with a talloc destructor.
+			 */
+			server_in_keytab = NULL;
+		}
+
 		/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
 		if (gensec_krb5_state->gssapi
 		    && gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {