auth: Allow a NULL principal to be obtained from the credentials

This is important when trying to let GSSAPI search the keytab.

Andrew Bartlett

source4/auth/gensec/gensec_krb5.c

@@ -521,7 +521,10 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
 			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 		}
 		
-		/* This ensures we lookup the correct entry in that keytab */
+		/* This ensures we lookup the correct entry in that
+		 * keytab.  A NULL principal is acceptable, and means
+		 * that the krb5 libs should search the keytab at
+		 * accept time for any matching key */
 		ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security), 
 						 gensec_krb5_state->smb_krb5_context, 
 						 &server_in_keytab, &obtained, &error_string);

source4/auth/kerberos/kerberos_util.c

@@ -293,14 +293,16 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
 	krb5_error_code ret;
 	const char *princ_string;
 	TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
+	*obtained = CRED_UNINITIALISED;
+
 	if (!mem_ctx) {
 		(*error_string) = error_message(ENOMEM);
 		return ENOMEM;
 	}
 	princ_string = cli_credentials_get_principal_and_obtained(credentials, mem_ctx, obtained);
 	if (!princ_string) {
-		(*error_string) = error_message(ENOMEM);
-		return ENOMEM;
+		*princ = NULL;
+		return 0;
 	}
 
 	ret = parse_principal(parent_ctx, princ_string,
@@ -359,6 +361,12 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
 		return ret;
 	}
 
+	if (princ == NULL) {
+		(*error_string) = talloc_asprintf(credentials, "principal, username or realm was not specified in the credentials");
+		talloc_free(mem_ctx);
+		return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+	}
+
 	ret = impersonate_principal_from_credentials(mem_ctx, credentials, smb_krb5_context, &impersonate_principal, error_string);
 	if (ret) {
 		talloc_free(mem_ctx);