From 4e472264537d0732e67c907a9ccaea0d28582c4c Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Tue, 19 Jun 2018 15:09:41 -0700 Subject: [PATCH] krb5_wrap: fix keep_old_entries logic for older kerberos libraries MIT kerberos 1.13 and older only stores 8 bits of the KVNO. The change from commit 35b2fb4ff32 resulted in breakage for these kerberos versions: 'net ads keytab create' reads a large KVNO from AD, and only the lower 8 bits are stored. The next check then removed the entry again as the 8 bit value did not match the currently valid KVNO. Fix this by limiting the check to only 8 bits. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13478 Signed-off-by: Christof Schmitt Reviewed-by: Alexander Bokovoy Autobuild-User(master): Christof Schmitt Autobuild-Date(master): Sat Jun 23 00:57:47 CEST 2018 on sn-devel-144 (cherry picked from commit 97eaeea6a130871cfac5be42459380c0c4e0fae6) --- lib/krb5_wrap/krb5_samba.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index 7c461e5..0ba8aae 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -1549,7 +1549,7 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context, } if (!flush && - (kt_entry.vno == kvno) && + ((kt_entry.vno & 0xff) == (kvno & 0xff)) && (kt_entry_enctype != enctype)) { DEBUG(5, (__location__ ": Saving entry with kvno [%d] " -- 1.8.3.1