From 4d1a261202d828efc84e3a84d16c30548f29f76d Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Wed, 11 Apr 2012 12:12:57 +0200 Subject: If canon'ing principals, write ccache with updated default principal * When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518 --- src/providers/ldap/ldap_child.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/providers/ldap/ldap_child.c') diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c index 5356f883..e6bf4c3a 100644 --- a/src/providers/ldap/ldap_child.c +++ b/src/providers/ldap/ldap_child.c @@ -285,7 +285,8 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, goto done; } - krberr = krb5_cc_initialize(context, ccache, kprinc); + /* Use updated principal if changed due to canonicalization. */ + krberr = krb5_cc_initialize(context, ccache, my_creds.client); if (krberr) { DEBUG(2, ("Failed to init ccache: %s\n", sss_krb5_get_error_message(context, krberr))); -- cgit