libads: Fix deadlock when re-joining a domain and updating keytab

When updating the system keytab as a result of joining a domain,
if the keytb had prior entries, ads_keytab_create_default tries to
update those entries. However, it starts updating before freeing the
cursor which was used for finding those entries, and hence causes
an an attempt to write-lock the keytab while a read-lock exists.

To reproduce configure smb.conf for ads domain member and run this twice:
net ads join -U <credentials> '--option=kerberos method=secrets and keytab'

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon May  4 21:01:41 CEST 2015 on sn-devel-104

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index ef6374ae7bed278c4ab4a94ddbe6c40f1a23c17c..309e614b4f022b7af2aa2834a36796fdb959855b 100644 (file)
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -731,13 +731,14 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
                smb_krb5_kt_free_entry(context, &kt_entry);
                ZERO_STRUCT(kt_entry);
        }
+       krb5_kt_end_seq_get(context, keytab, &cursor);
+       ZERO_STRUCT(cursor);
+
        ret = 0;
        for (i = 0; oldEntries[i]; i++) {
                ret |= ads_keytab_add_entry(ads, oldEntries[i]);
                TALLOC_FREE(oldEntries[i]);
        }
-       krb5_kt_end_seq_get(context, keytab, &cursor);
-       ZERO_STRUCT(cursor);
 
 done:
        TALLOC_FREE(oldEntries);