From 8bd67c593da5525a63a1d596e2c7fe38bc7cee57 Mon Sep 17 00:00:00 2001 From: Aaron Haslett Date: Tue, 1 May 2018 11:10:50 +1200 Subject: [PATCH] auth: keytab invalidation fix chgtdcpass should add a new DC password and delete the old ones but the bug exposed by this test causes the tool to remove only a single record from the old entries, leaving the old passwords functional. Since the tool is used by administrators who may have disclosed their domain join password and want to invalidate it, this is a security concern. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13415 Signed-off-by: Aaron Haslett Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Tue May 15 15:45:08 CEST 2018 on sn-devel-144 --- selftest/knownfail.d/keytab | 1 - source4/auth/kerberos/kerberos_util.c | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/selftest/knownfail.d/keytab b/selftest/knownfail.d/keytab index 6777d98ff28..e69de29bb2d 100644 --- a/selftest/knownfail.d/keytab +++ b/selftest/knownfail.d/keytab @@ -1 +0,0 @@ -^samba.unittests.kerberos.test_krb5_remove_obsolete_keytab_entries_many diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index 618da626652..50bf8feec96 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -633,7 +633,7 @@ krb5_error_code smb_krb5_remove_obsolete_keytab_entries(TALLOC_CTX *mem_ctx, krb5_kt_free_entry(context, &entry); /* Make sure we do not double free */ ZERO_STRUCT(entry); - } while (code != 0); + } while (code == 0); krb5_kt_end_seq_get(context, keytab, &cursor); -- 2.34.1