krb5_child: fix enterprise principal parsing in keep-alive sessions

When keep-alive sessions transition between command types (e.g., from
SSS_PAM_PREAUTH to SSS_PAM_AUTHENTICATE), enterprise principal settings
were not being updated, causing parsing inconsistencies in complex AD
environments.

This change ensures that when the backend sends updated enterprise
principal settings for different command types, the principals are
correctly re-parsed with the appropriate flags, fixing UPN handling in
multi-domain AD environments.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>

Author: ikerexxe

src/providers/krb5/krb5_child.c

@@ -149,6 +149,7 @@ static errno_t k5c_attach_passkey_msg(struct krb5_req *kr, struct sss_passkey_ch
 static errno_t k5c_attach_keep_alive_msg(struct krb5_req *kr);
 static errno_t k5c_recv_data(struct krb5_req *kr, int fd, uint32_t *offline);
 static errno_t k5c_send_data(struct krb5_req *kr, int fd, errno_t error);
+static int k5c_setup(struct krb5_req *kr, uint32_t offline);
 
 static krb5_error_code set_lifetime_options(struct cli_opts *cli_opts,
                                             krb5_get_init_creds_opt *options)
@@ -874,6 +875,12 @@ static errno_t krb5_req_update(struct krb5_req *dest, struct krb5_req *src)
     talloc_free(dest->pd);
     dest->pd = talloc_steal(dest, src->pd);
 
+    /* Update settings that may change between commands */
+    dest->use_enterprise_princ = src->use_enterprise_princ;
+    dest->validate = src->validate;
+    dest->posix_domain = src->posix_domain;
+    dest->send_pac = src->send_pac;
+
     return EOK;
 }
 
@@ -941,6 +948,13 @@ static krb5_error_code k5c_send_and_recv(struct krb5_req *kr)
         goto done;
     }
 
+    ret = k5c_setup(kr, offline);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "k5c_setup failed during keep-alive [%d]: %s\n",
+              ret, sss_strerror(ret));
+        goto done;
+    }
+
 done:
     talloc_free(tmpkr);
     return ret;
@@ -3989,22 +4003,30 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline)
         return kerr;
     }
 
+    if (kr->princ_orig != NULL) {
+        krb5_free_principal(kr->ctx, kr->princ_orig);
+    }
     kerr = krb5_parse_name(kr->ctx, kr->upn, &kr->princ_orig);
     if (kerr != 0) {
         KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
         return kerr;
     }
 
+    sss_krb5_free_unparsed_name(kr->ctx, kr->name);
     kerr = krb5_unparse_name(kr->ctx, kr->princ, &kr->name);
     if (kerr != 0) {
         KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
         return kerr;
     }
 
-    kr->creds = calloc(1, sizeof(krb5_creds));
-    if (kr->creds == NULL) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "calloc failed.\n");
-        return ENOMEM;
+    if (kr->creds != NULL) {
+        krb5_free_cred_contents(kr->ctx, kr->creds);
+    } else {
+        kr->creds = calloc(1, sizeof(krb5_creds));
+        if (kr->creds == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "calloc failed.\n");
+            return ENOMEM;
+        }
     }
 
 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER

src/util/sss_krb5.c

@@ -455,6 +455,9 @@ krb5_error_code
 sss_krb5_parse_name_flags(krb5_context context, const char *name, int flags,
                           krb5_principal *principal)
 {
+    if (principal != NULL) {
+        krb5_free_principal(context, *principal);
+    }
 #ifdef HAVE_KRB5_PARSE_NAME_FLAGS
     return krb5_parse_name_flags(context, name, flags, principal);
 #else