[PATCH 2/2] libads: Fix deadlock when re-joining a domain and updating keytab

Uri Simchoni urisimchoni at gmail.com
Fri May 1 15:35:28 MDT 2015

When updating the system keytab as a result of joining a domain,
if the keytb had prior entries, ads_keytab_create_default tries to
update thos entries. However, it starts updating before freeing the
cursor which was used for finding those entries, and hence causes
an an attempt to write-lock the keytab while a read-lock exists.

To reproduce configure smb.conf for ads domain member and run this twice:
net ads join -U <credentials> '--option=kerberos method=secrets and keytab'

 source3/libads/kerberos_keytab.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index ef6374a..309e614 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -731,13 +731,14 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 		smb_krb5_kt_free_entry(context, &kt_entry);
+	krb5_kt_end_seq_get(context, keytab, &cursor);
+	ZERO_STRUCT(cursor);
 	ret = 0;
 	for (i = 0; oldEntries[i]; i++) {
 		ret |= ads_keytab_add_entry(ads, oldEntries[i]);
-	krb5_kt_end_seq_get(context, keytab, &cursor);
-	ZERO_STRUCT(cursor);

More information about the samba-technical mailing list