[PATCH 2/2] libads: Fix deadlock when re-joining a domain and updating keytab

[Uri Simchoni]

When updating the system keytab as a result of joining a domain,
if the keytb had prior entries, ads_keytab_create_default tries to
update those entries. However, it starts updating before freeing the
cursor which was used for finding those entries, and hence causes
an an attempt to write-lock the keytab while a read-lock exists.

To reproduce configure smb.conf for ads domain member and run this twice:
net ads join -U <credentials> '--option=kerberos method=secrets and keytab'

Signed-off-by: Uri Simchoni <urisimchoni at gmail.com>
---
 source3/libads/kerberos_keytab.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index ef6374a..309e614 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -731,13 +731,14 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 		smb_krb5_kt_free_entry(context, &kt_entry);
 		ZERO_STRUCT(kt_entry);
 	}
+	krb5_kt_end_seq_get(context, keytab, &cursor);
+	ZERO_STRUCT(cursor);
+
 	ret = 0;
 	for (i = 0; oldEntries[i]; i++) {
 		ret |= ads_keytab_add_entry(ads, oldEntries[i]);
 		TALLOC_FREE(oldEntries[i]);
 	}
-	krb5_kt_end_seq_get(context, keytab, &cursor);
-	ZERO_STRUCT(cursor);
 
 done:
 	TALLOC_FREE(oldEntries);
-- 
1.9.1