lib/krb5: correctly follow KRB5_KDC_ERR_WRONG_REALM client referrals

An AS-REQ with an enterprise principal will always directed to a kdc of the local
(default) realm. The KDC directs the client into the direction of the
final realm. See rfc6806.txt.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

lib/krb5/init_creds_pw.c

@@ -2330,6 +2330,17 @@ krb5_init_creds_step(krb5_context context,
 		ret = krb5_principal_set_realm(context,
 					       ctx->cred.client,
 					       *ctx->error.crealm);
+		if (ret)
+		    goto out;
+
+		if (krb5_principal_is_krbtgt(context, ctx->cred.server)) {
+		    ret = krb5_init_creds_set_service(context, ctx, NULL);
+		    if (ret)
+			goto out;
+		}
+
+		free_AS_REQ(&ctx->as_req);
+		memset(&ctx->as_req, 0, sizeof(ctx->as_req));
 
 		ctx->used_pa_types = 0;
 	    } else if (ret == KRB5KDC_ERR_KEY_EXP && ctx->runflags.change_password == 0 && ctx->prompter) {
@@ -2379,6 +2390,15 @@ krb5_init_creds_step(krb5_context context,
 	}
     }
 
+    if (ctx->as_req.req_body.cname == NULL) {
+	ret = init_as_req(context, ctx->flags, &ctx->cred,
+			  ctx->addrs, ctx->etypes, &ctx->as_req);
+	if (ret) {
+	    free_init_creds_ctx(context, ctx);
+	    return ret;
+	}
+    }
+
     if (ctx->as_req.padata) {
 	free_METHOD_DATA(ctx->as_req.padata);
 	free(ctx->as_req.padata);