From 33817876cb7ecb9432cfefad1cf67ae75260310d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 17 Jul 2015 09:03:25 +0200
Subject: s4-kerberos: Make sure we handle kvno's in keytabs correctly

Signed-off-by: Andreas Schneider <asn@samba.org>
---
 source4/auth/kerberos/kerberos_util.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'source4/auth/kerberos')

diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index b7f5ab0f09f..76d46bc13f1 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -522,6 +522,7 @@ krb5_error_code smb_krb5_remove_obsolete_keytab_entries(TALLOC_CTX *mem_ctx,
 	}
 
 	do {
+		krb5_kvno old_kvno = kvno - 1;
 		krb5_keytab_entry entry;
 		bool matched = false;
 		uint32_t i;
@@ -556,8 +557,14 @@ krb5_error_code smb_krb5_remove_obsolete_keytab_entries(TALLOC_CTX *mem_ctx,
 			continue;
 		}
 
-		/* Delete it, if it is not kvno - 1 */
-		if (entry.vno != (kvno - 1)) {
+		/*
+		 * Delete it, if it is not kvno - 1.
+		 *
+		 * Some keytab files store the kvno only in 8bits. Limit the
+		 * compare to 8bits, so that we don't miss old keys and delete
+		 * them.
+		 */
+		if ((entry.vno & 0xff) != (old_kvno & 0xff)) {
 			krb5_error_code rc;
 
 			/* Release the enumeration.  We are going to
-- 
cgit v1.2.1