In ads_verify_realm, all we use in the ADS_STRUCT is the

auth.realm. So directly pass that instead of setting up and tearing
down the ADS_STRUCT.

Volker
(This used to be commit ce5b8d2ec2)

source3/libads/kerberos_verify.c

@@ -28,7 +28,7 @@
   verify an incoming ticket and parse out the principal name and 
   authorization_data if available 
 */
-NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, 
+NTSTATUS ads_verify_ticket(const char *realm, const DATA_BLOB *ticket, 
 			   char **principal, DATA_BLOB *auth_data,
 			   DATA_BLOB *ap_rep,
 			   uint8 session_key[16])
@@ -79,7 +79,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
-	ret = krb5_set_default_realm(context, ads->auth.realm);
+	ret = krb5_set_default_realm(context, realm);
 	if (ret) {
 		DEBUG(1,("ads_verify_ticket: krb5_set_default_realm failed (%s)\n", error_message(ret)));
 		sret = NT_STATUS_LOGON_FAILURE;

source3/smbd/sesssetup.c

@@ -149,7 +149,6 @@ static int reply_spnego_kerberos(connection_struct *conn,
 	DATA_BLOB auth_data;
 	DATA_BLOB ap_rep, ap_rep_wrapped, response;
 	auth_serversupplied_info *server_info = NULL;
-	ADS_STRUCT *ads;
 	uint8 session_key[16];
 	uint8 tok_id[2];
 	BOOL foreign = False;
@@ -165,18 +164,9 @@ static int reply_spnego_kerberos(connection_struct *conn,
 		return ERROR_NT(NT_STATUS_LOGON_FAILURE);
 	}
 
-	ads = ads_init_simple();
-
-	if (!ads) {
-		return ERROR_NT(NT_STATUS_LOGON_FAILURE);
-	}
-
-	ads->auth.realm = strdup(lp_realm());
-
-	ret = ads_verify_ticket(ads, &ticket, &client, &auth_data, &ap_rep, session_key);
+	ret = ads_verify_ticket(lp_realm(), &ticket, &client, &auth_data, &ap_rep, session_key);
 	if (!NT_STATUS_IS_OK(ret)) {
 		DEBUG(1,("Failed to verify incoming ticket!\n"));	
-		ads_destroy(&ads);
 		return ERROR_NT(NT_STATUS_LOGON_FAILURE);
 	}
 
@@ -187,13 +177,12 @@ static int reply_spnego_kerberos(connection_struct *conn,
 	p = strchr_m(client, '@');
 	if (!p) {
 		DEBUG(3,("Doesn't look like a valid principal\n"));
-		ads_destroy(&ads);
 		data_blob_free(&ap_rep);
 		return ERROR_NT(NT_STATUS_LOGON_FAILURE);
 	}
 
 	*p = 0;
-	if (strcasecmp(p+1, ads->auth.realm) != 0) {
+	if (strcasecmp(p+1, lp_realm()) != 0) {
 		DEBUG(3,("Ticket for foreign realm %s@%s\n", client, p+1));
 		if (!lp_allow_trusted_domains()) {
 			data_blob_free(&ap_rep);
@@ -213,8 +202,6 @@ static int reply_spnego_kerberos(connection_struct *conn,
 		user = smb_xstrdup(client);
 	}
 
-	ads_destroy(&ads);
-
 	/* setup the string used by %U */
 	sub_set_smb_name(user);