From 121bbc01842db03570623eadcbb97edab30ca651 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 18 Dec 2014 11:03:44 +1300
Subject: gensec_krb5: Match behaviour of gensec_gssapi for password-based
 keytabs

This allows the winbind.pac.krb5 test to pass against the s3member environment, which uses the password from secrets.tdb.

Andrew Bartlett

Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/auth/gensec/gensec_krb5.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'source4/auth')

diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index c34c43425e..a81dfc3751 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -591,6 +591,16 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
 			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 		}
 
+		if (keytab->password_based || obtained < CRED_SPECIFIED) {
+			/* 
+			 * Use match-by-key in this case (matches
+			 * cli_credentials_get_server_gss_creds()
+			 * behaviour).  No need to free the memory,
+			 * this is handled with a talloc destructor.
+			 */
+			server_in_keytab = NULL;
+		}
+
 		/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
 		if (gensec_krb5_state->gssapi
 		    && gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
-- 
cgit