s3-krb5: Limit search for old kvno to 8bits

Some keytab files store the kvno only in 8bits. Limit the compare to
8bits, so that we don't miss old keys and delete them. This fixes the
problem that updates to the keytab file removed all previous keys.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Thu May  8 00:54:15 CEST 2014 on sn-devel-104

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 83df0882f0094e2198600bd5003985075138ef78..6a1ba75ac01b3c9055ca266506f38514ea7b7315 100644 (file)
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -49,6 +49,7 @@ static krb5_error_code seek_and_delete_old_entries(krb5_context context,
        krb5_keytab_entry kt_entry;
        krb5_keytab_entry zero_kt_entry;
        char *ktprinc = NULL;
+       krb5_kvno old_kvno = kvno - 1;
 
        ZERO_STRUCT(cursor);
        ZERO_STRUCT(zero_csr);
@@ -115,12 +116,14 @@ static krb5_error_code seek_and_delete_old_entries(krb5_context context,
                 * changes, all kerberizied sessions will 'break' until either
                 * the client reboots or the client's session key expires and
                 * they get a new session ticket with the new kvno.
+                * Some keytab files only store the kvno in 8bits, limit
+                * the compare accordingly.
                 */
 
-               if (!flush && (kt_entry.vno == kvno - 1)) {
+               if (!flush && ((kt_entry.vno & 0xff) == (old_kvno & 0xff))) {
                        DEBUG(5, (__location__ ": Saving previous (kvno %d) "
                                  "entry for principal: %s.\n",
-                                 kvno - 1, princ_s));
+                                 old_kvno, princ_s));
                        continue;
                }