From de786e0220605acce81ad19429722f61d8c36608 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 10 Mar 2017 19:47:24 +0200
Subject: [PATCH] one more patch from git master

---
 samba-v4.6-credentials-fix-realm.patch | 54 ++++++++++++++++++++++++++
 samba.spec                             |  7 +++-
 2 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 samba-v4.6-credentials-fix-realm.patch

diff --git a/samba-v4.6-credentials-fix-realm.patch b/samba-v4.6-credentials-fix-realm.patch
new file mode 100644
index 0000000..8583d5b
--- /dev/null
+++ b/samba-v4.6-credentials-fix-realm.patch
@@ -0,0 +1,54 @@
+commit 4dc389c6ae95b7bd34e762b5362c8a79fbda7c7c
+Author: Andreas Schneider <asn@samba.org>
+Date:   Wed Dec 21 22:17:22 2016 +0100
+
+    auth/credentials: Always set the the realm if we set the principal from the ccache
+    
+    This fixes a bug in gensec_gssapi_client_start() where an invalid realm
+    is used to get a Kerberos ticket.
+    
+    Signed-off-by: Andreas Schneider <asn@samba.org>
+    Reviewed-by: Stefan Metzmacher <metze@samba.org>
+    (cherry picked from commit 30c07065300281e3a67197fe39ed928346480ff7)
+
+diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
+index 0e68012..1912c48 100644
+--- a/auth/credentials/credentials_krb5.c
++++ b/auth/credentials/credentials_krb5.c
+@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
+ 					   enum credentials_obtained obtained,
+ 					   const char **error_string)
+ {
+-	
++	bool ok;
++	char *realm;
+ 	krb5_principal princ;
+ 	krb5_error_code ret;
+ 	char *name;
+@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
+ 		return ret;
+ 	}
+ 
+-	cli_credentials_set_principal(cred, name, obtained);
+-
++	ok = cli_credentials_set_principal(cred, name, obtained);
++	if (!ok) {
++		krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
++		return ENOMEM;
++	}
+ 	free(name);
+ 
++	realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
++					     princ);
+ 	krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
++	if (realm == NULL) {
++		return ENOMEM;
++	}
++	ok = cli_credentials_set_realm(cred, realm, obtained);
++	SAFE_FREE(realm);
++	if (!ok) {
++		return ENOMEM;
++	}
+ 
+ 	/* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */
+ 	cred->ccache_obtained = obtained;
diff --git a/samba.spec b/samba.spec
index 560e3f0..d33b292 100644
--- a/samba.spec
+++ b/samba.spec
@@ -6,7 +6,7 @@
 # ctdb is enabled by default, you can disable it with: --without clustering
 %bcond_without clustering
 
-%define main_release 2
+%define main_release 3
 
 %define samba_version 4.6.0
 %define talloc_version 2.1.9
@@ -108,6 +108,7 @@ Source200: README.dc
 Source201: README.downgrade
 
 Patch0: samba-v4.6-gss_krb5_import_cred.patch
+Patch1: samba-v4.6-credentials-fix-realm.patch
 
 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
@@ -2628,6 +2629,10 @@ rm -rf %{buildroot}
 %endif # with_clustering_support
 
 %changelog
+* Thu Mar 10 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-3
+- auth/credentials: Always set the the realm if we set the principal from the ccache
+- resolves: #1430761 - credentials_crb5: use gss_acquire_cred for client-side GSSAPI use case
+
 * Thu Mar 09 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-2
 - resolves: #1430761 - credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case