return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
- /* This ensures we lookup the correct entry in that keytab */
+ /* This ensures we lookup the correct entry in that
+ * keytab. A NULL principal is acceptable, and means
+ * that the krb5 libs should search the keytab at
+ * accept time for any matching key */
ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security),
gensec_krb5_state->smb_krb5_context,
&server_in_keytab, &obtained, &error_string);
krb5_error_code ret;
const char *princ_string;
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
+ *obtained = CRED_UNINITIALISED;
+
if (!mem_ctx) {
(*error_string) = error_message(ENOMEM);
return ENOMEM;
}
princ_string = cli_credentials_get_principal_and_obtained(credentials, mem_ctx, obtained);
if (!princ_string) {
- (*error_string) = error_message(ENOMEM);
- return ENOMEM;
+ *princ = NULL;
+ return 0;
}
ret = parse_principal(parent_ctx, princ_string,
return ret;
}
+ if (princ == NULL) {
+ (*error_string) = talloc_asprintf(credentials, "principal, username or realm was not specified in the credentials");
+ talloc_free(mem_ctx);
+ return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ }
+
ret = impersonate_principal_from_credentials(mem_ctx, credentials, smb_krb5_context, &impersonate_principal, error_string);
if (ret) {
talloc_free(mem_ctx);