s3-krb5: Limit search for old kvno to 8bits

[mat/samba.git] / source3 / libads / kerberos_keytab.c

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 83df0882f0094e2198600bd5003985075138ef78..6a1ba75ac01b3c9055ca266506f38514ea7b7315 100644 (file)
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -49,6 +49,7 @@ static krb5_error_code seek_and_delete_old_entries(krb5_context context,
        krb5_keytab_entry kt_entry;
        krb5_keytab_entry zero_kt_entry;
        char *ktprinc = NULL;
+       krb5_kvno old_kvno = kvno - 1;
 
        ZERO_STRUCT(cursor);
        ZERO_STRUCT(zero_csr);
@@ -115,12 +116,14 @@ static krb5_error_code seek_and_delete_old_entries(krb5_context context,
                 * changes, all kerberizied sessions will 'break' until either
                 * the client reboots or the client's session key expires and
                 * they get a new session ticket with the new kvno.
+                * Some keytab files only store the kvno in 8bits, limit
+                * the compare accordingly.
                 */
 
-               if (!flush && (kt_entry.vno == kvno - 1)) {
+               if (!flush && ((kt_entry.vno & 0xff) == (old_kvno & 0xff))) {
                        DEBUG(5, (__location__ ": Saving previous (kvno %d) "
                                  "entry for principal: %s.\n",
-                                 kvno - 1, princ_s));
+                                 old_kvno, princ_s));
                        continue;
                }