1 files changed, 7 insertions, 8 deletions

diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c
index 26bf0cf663..14e2f586c3 100644
--- a/source4/libcli/auth/gensec_krb5.c
+++ b/source4/libcli/auth/gensec_krb5.c
@@ -229,21 +229,19 @@ static void gensec_krb5_end(struct gensec_security *gensec_security)
 	struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
 
 	if (gensec_krb5_state->ticket.length) { 
-	/* Hmm, heimdal dooesn't have this - what's the correct call? */
+	/* Hmm, early heimdal dooesn't have this - correct call would be krb5_data_free */
 #ifdef HAVE_KRB5_FREE_DATA_CONTENTS
 		krb5_free_data_contents(gensec_krb5_state->krb5_context, &gensec_krb5_state->ticket); 
 #endif
 	}
 	if (gensec_krb5_state->krb5_ccache) {
-		/* Removed by jra. They really need to fix their kerberos so we don't leak memory. 
-		   JERRY -- disabled since it causes heimdal 0.6.1rc3 to die
-		   SuSE 9.1 Pro 
-		*/
-#if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */
-		krb5_cc_close(context, gensec_krb5_state->krb5_ccache);
-#endif
+		/* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
+		krb5_cc_close(gensec_krb5_state->krb5_context, gensec_krb5_state->krb5_ccache);
 	}
 
+	krb5_free_keyblock_contents(gensec_krb5_state->krb5_context, 
+				    &gensec_krb5_state->krb5_keyblock);
+		
 	if (gensec_krb5_state->krb5_auth_context) {
 		krb5_auth_con_free(gensec_krb5_state->krb5_context, 
 				   gensec_krb5_state->krb5_auth_context);
@@ -275,6 +273,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
 	gensec_krb5_state->krb5_auth_context = NULL;
 	gensec_krb5_state->krb5_ccache = NULL;
 	ZERO_STRUCT(gensec_krb5_state->ticket);
+	ZERO_STRUCT(gensec_krb5_state->krb5_keyblock);
 	gensec_krb5_state->session_key = data_blob(NULL, 0);
 
 	ret = krb5_init_context(&gensec_krb5_state->krb5_context);