From 3a870baee8d9dbe5359f04a108814afc27e57d46 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 29 Dec 2016 15:20:00 +0100
Subject: [PATCH] s4:gensec_gssapi: require a realm in
 gensec_gssapi_client_start()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source4/auth/gensec/gensec_gssapi.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 3974c3d42a0..2ae2e23f3d2 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -330,6 +330,16 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
+	if (realm == NULL) {
+		char *cred_name = cli_credentials_get_unparsed_name(creds,
+								gensec_security);
+		DEBUG(3, ("cli_credentials(%s) without realm, "
+			  "cannot use kerberos for this connection %s/%s\n",
+			  cred_name, service, hostname));
+		TALLOC_FREE(cred_name);
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 do_start:
 
 	nt_status = gensec_gssapi_start(gensec_security);