[PATCH 2/2] libads: Fix deadlock when re-joining a domain and updating keytab
Uri Simchoni
urisimchoni at gmail.com
Fri May 1 15:35:28 MDT 2015
When updating the system keytab as a result of joining a domain,
if the keytb had prior entries, ads_keytab_create_default tries to
update thos entries. However, it starts updating before freeing the
cursor which was used for finding those entries, and hence causes
an an attempt to write-lock the keytab while a read-lock exists.
To reproduce configure smb.conf for ads domain member and run this twice:
net ads join -U <credentials> '--option=kerberos method=secrets and keytab'
---
source3/libads/kerberos_keytab.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index ef6374a..309e614 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -731,13 +731,14 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
smb_krb5_kt_free_entry(context, &kt_entry);
ZERO_STRUCT(kt_entry);
}
+ krb5_kt_end_seq_get(context, keytab, &cursor);
+ ZERO_STRUCT(cursor);
+
ret = 0;
for (i = 0; oldEntries[i]; i++) {
ret |= ads_keytab_add_entry(ads, oldEntries[i]);
TALLOC_FREE(oldEntries[i]);
}
- krb5_kt_end_seq_get(context, keytab, &cursor);
- ZERO_STRUCT(cursor);
done:
TALLOC_FREE(oldEntries);
--
1.9.1
More information about the samba-technical
mailing list