2 files changed, 7 insertions, 13 deletions

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 3eaccde25e..05f0a624db 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -483,7 +483,11 @@ _PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred,
 		 * calculations */
 		cred->domain = strupper_talloc(cred, val);
 		cred->domain_obtained = obtained;
-		cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
+		/* setting domain does not mean we have to invalidate ccache 
+		 * because domain in not used for Kerberos operations.
+		 * If ccache invalidation is required, one will anyway specify
+		 * a password to kinit, and that will force invalidation of the ccache
+		 */
 		return true;
 	}
 
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 2c93a8febc..2a23688ffd 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -486,18 +486,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 		}
 	}
 
-
-	if (cred->ccache_obtained == CRED_UNINITIALISED) {
-		/* Only attempt to re-acquire ccache if it is not already in place.
-		 * this is important for client-side use within frameworks with already acquired tickets
-		 * like Apache+mod_auth_kerb+Python
-		 */
-		ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
-						 &ccache, error_string);
-	} else {
-		ccache = cred->ccache;
-	}
-
+	ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
+					 &ccache, error_string);
 	if (ret) {
 		if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
 			DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string));