The krb5_get_credentials() rewrite for IAKERB accidentally omitted the
final step of restoring the requested realm in the output credentials.
As a result, referral entries are not cached, and the caller sees the
actual realm in (*out_creds)->server instead of the referral realm as
before. Fix this in complete() by swapping ctx->req_server into
ctx->reply_creds->server.
ticket: 6916
target_version: 1.9.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24945
dc483132-0cff-0310-8789-
dd5450dbe970
{
TRACE_TKT_CREDS_COMPLETE(context, ctx->reply_creds->server);
+ /* Put the requested server principal in the output creds. */
+ krb5_free_principal(context, ctx->reply_creds->server);
+ ctx->reply_creds->server = ctx->req_server;
+ ctx->req_server = NULL;
+
/* Note the authdata we asked for in the output creds. */
ctx->reply_creds->authdata = ctx->authdata;
ctx->authdata = NULL;