From bdfb92012d6dec2999469d483ba67d6c2521a078 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 21 Nov 2024 09:23:36 +0100
Subject: [PATCH] ldap_child: make sure invalid krb5 context is not used -
 2.9.4

Resolves: https://github.com/SSSD/sssd/issues/7715
---
 src/util/sss_krb5.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index 3f57e5b268f..0b83142ddfc 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -115,6 +115,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
 
     kerr = sss_krb5_init_context(&krb_ctx);
     if (kerr) {
+	krb_ctx = NULL;
         DEBUG(SSSDBG_OP_FAILURE, "Failed to init Kerberos context\n");
         ret = EFAULT;
         goto done;
@@ -248,7 +249,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
     }
 
 done:
-    if (ret != EOK) {
+    if (ret != EOK && krb_ctx != NULL) {
         DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read keytab [%s]: %s\n",
                KEYTAB_CLEAN_NAME, strerror(ret));
         sss_log(SSS_LOG_ERR, "Failed to read keytab [%s]: %s\n",