diff options
author | Aaron Haslett <aaronhaslett@catalyst.net.nz> | 2018-05-01 11:10:50 +1200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2018-05-15 15:45:08 +0200 |
commit | 8bd67c593da5525a63a1d596e2c7fe38bc7cee57 (patch) | |
tree | b80106d736b5b191b29147543d0a42ce38d1d5d3 /source4/auth/kerberos | |
parent | a3d6fdd5355d366f3d23915cecc10c6f039daa44 (diff) | |
download | samba-8bd67c593da5525a63a1d596e2c7fe38bc7cee57.tar.gz |
auth: keytab invalidation fix
chgtdcpass should add a new DC password and delete the old ones but the bug
exposed by this test causes the tool to remove only a single record from
the old entries, leaving the old passwords functional. Since the tool is
used by administrators who may have disclosed their domain join password and
want to invalidate it, this is a security concern.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13415
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue May 15 15:45:08 CEST 2018 on sn-devel-144
Diffstat (limited to 'source4/auth/kerberos')
-rw-r--r-- | source4/auth/kerberos/kerberos_util.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index 618da626652..50bf8feec96 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -633,7 +633,7 @@ krb5_error_code smb_krb5_remove_obsolete_keytab_entries(TALLOC_CTX *mem_ctx, krb5_kt_free_entry(context, &entry); /* Make sure we do not double free */ ZERO_STRUCT(entry); - } while (code != 0); + } while (code == 0); krb5_kt_end_seq_get(context, keytab, &cursor); |