[PATCH] s3-krb5: Limit search for old kvno to 8bits

[Christof Schmitt]

>From cb0e25d1eb52e15f9c771a5d99027ab4afed3168 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Tue, 6 May 2014 16:48:07 -0700
Subject: [PATCH] s3-krb5: Limit search for old kvno to 8bits

Some keytab files store the kvno only in 8bits. Limit the compare to
8bits, so that we don't miss old keys and delete them. This fixes the
problem that updates to the keytab file removed all previous keys.

Signed-off-by: Christof Schmitt <cs at samba.org>
---
 source3/libads/kerberos_keytab.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 83df088..6a1ba75 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -49,6 +49,7 @@ static krb5_error_code seek_and_delete_old_entries(krb5_context context,
 	krb5_keytab_entry kt_entry;
 	krb5_keytab_entry zero_kt_entry;
 	char *ktprinc = NULL;
+	krb5_kvno old_kvno = kvno - 1;
 
 	ZERO_STRUCT(cursor);
 	ZERO_STRUCT(zero_csr);
@@ -115,12 +116,14 @@ static krb5_error_code seek_and_delete_old_entries(krb5_context context,
 		 * changes, all kerberizied sessions will 'break' until either
 		 * the client reboots or the client's session key expires and
 		 * they get a new session ticket with the new kvno.
+		 * Some keytab files only store the kvno in 8bits, limit
+		 * the compare accordingly.
 		 */
 
-		if (!flush && (kt_entry.vno == kvno - 1)) {
+		if (!flush && ((kt_entry.vno & 0xff) == (old_kvno & 0xff))) {
 			DEBUG(5, (__location__ ": Saving previous (kvno %d) "
 				  "entry for principal: %s.\n",
-				  kvno - 1, princ_s));
+				  old_kvno, princ_s));
 			continue;
 		}
 
-- 
1.7.1