From 4d1a261202d828efc84e3a84d16c30548f29f76d Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@gnome.org>
Date: Wed, 11 Apr 2012 12:12:57 +0200
Subject: If canon'ing principals, write ccache with updated default principal

 * When calling krb5_get_init_creds_keytab() with
   krb5_get_init_creds_opt_set_canonicalize() the credential
   principal can get updated.
 * Create the cache file with the correct default credential.
 * LDAP GSSAPI SASL would fail due to the mismatched credentials
   before this patch.

https://bugzilla.redhat.com/show_bug.cgi?id=811518
---
 src/providers/ldap/ldap_child.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/providers/ldap/ldap_child.c')

diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 5356f883..e6bf4c3a 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -285,7 +285,8 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
         goto done;
     }
 
-    krberr = krb5_cc_initialize(context, ccache, kprinc);
+    /* Use updated principal if changed due to canonicalization. */
+    krberr = krb5_cc_initialize(context, ccache, my_creds.client);
     if (krberr) {
         DEBUG(2, ("Failed to init ccache: %s\n",
                   sss_krb5_get_error_message(context, krberr)));
-- 
cgit