2 files changed, 24 insertions, 8 deletions

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 6e6f7a5ebe..983d9012f0 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -762,7 +762,20 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 #endif
 		free(OIDs[i]);
 	}
-	DEBUG(3,("got principal=%s\n", principal));
+
+	DEBUG(3,("got principal=%s\n", principal ? principal : "<null>"));
+
+	if (got_kerberos_mechanism && (principal == NULL)) {
+		/*
+		 * It is WRONG to depend on the principal sent in the negprot
+		 * reply, but right now we do it. So for safety (don't
+		 * segfault later) disable Kerberos when no principal was
+		 * sent. -- VL
+		 */
+		DEBUG(1, ("Kerberos mech was offered, but no principal was sent\n"));
+		DEBUGADD(1, ("Disabling Kerberos\n"));
+		cli->use_kerberos = False;
+	}
 
 	fstrcpy(cli->user_name, user);
 
diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index fedf7e5c6e..a01c009b6e 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -149,13 +149,16 @@ BOOL spnego_parse_negTokenInit(DATA_BLOB blob,
 	asn1_end_tag(&data);
 	asn1_end_tag(&data);
 
-	asn1_start_tag(&data, ASN1_CONTEXT(3));
-	asn1_start_tag(&data, ASN1_SEQUENCE(0));
-	asn1_start_tag(&data, ASN1_CONTEXT(0));
-	asn1_read_GeneralString(&data,principal);
-	asn1_end_tag(&data);
-	asn1_end_tag(&data);
-	asn1_end_tag(&data);
+	*principal = NULL;
+	if (asn1_tag_remaining(&data) > 0) {
+		asn1_start_tag(&data, ASN1_CONTEXT(3));
+		asn1_start_tag(&data, ASN1_SEQUENCE(0));
+		asn1_start_tag(&data, ASN1_CONTEXT(0));
+		asn1_read_GeneralString(&data,principal);
+		asn1_end_tag(&data);
+		asn1_end_tag(&data);
+		asn1_end_tag(&data);
+	}
 
 	asn1_end_tag(&data);
 	asn1_end_tag(&data);