auth: keytab invalidation fix

chgtdcpass should add a new DC password and delete the old ones but the bug exposed by this test causes the tool to remove only a single record from the old entries, leaving the old passwords functional. Since the tool is used by administrators who may have disclosed their domain join password and want to invalidate it, this is a security concern. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13415 Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue May 15 15:45:08 CEST 2018 on sn-devel-144
author: Aaron Haslett <aaronhaslett@catalyst.net.nz> 2018-05-01 11:10:50 +1200
committer: Andreas Schneider <asn@cryptomilk.org> 2018-05-15 15:45:08 +0200
commit: 8bd67c593da5525a63a1d596e2c7fe38bc7cee57 (patch)
tree: b80106d736b5b191b29147543d0a42ce38d1d5d3 /source4/auth/kerberos
parent: a3d6fdd5355d366f3d23915cecc10c6f039daa44 (diff)
download: samba-8bd67c593da5525a63a1d596e2c7fe38bc7cee57.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 618da626652..50bf8feec96 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -633,7 +633,7 @@ krb5_error_code smb_krb5_remove_obsolete_keytab_entries(TALLOC_CTX *mem_ctx,
 		krb5_kt_free_entry(context, &entry);
 		/* Make sure we do not double free */
 		ZERO_STRUCT(entry);
-	} while (code != 0);
+	} while (code == 0);
 
 	krb5_kt_end_seq_get(context, keytab, &cursor);
author	Aaron Haslett <aaronhaslett@catalyst.net.nz>	2018-05-01 11:10:50 +1200
committer	Andreas Schneider <asn@cryptomilk.org>	2018-05-15 15:45:08 +0200
commit	8bd67c593da5525a63a1d596e2c7fe38bc7cee57 (patch)
tree	b80106d736b5b191b29147543d0a42ce38d1d5d3 /source4/auth/kerberos
parent	a3d6fdd5355d366f3d23915cecc10c6f039daa44 (diff)
download	samba-8bd67c593da5525a63a1d596e2c7fe38bc7cee57.tar.gz