[PATCH BUG 13478] krb5_wrap: fix keep_old_entries logic for older kerberos libraries

[Christof Schmitt]

From 0814f429c311b315362d27fd884d3ea58f484210 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Tue, 19 Jun 2018 15:09:41 -0700
Subject: [PATCH] krb5_wrap: fix keep_old_entries logic for older kerberos
 libraries

MIT kerberos 1.13 and older only stores the 8 bits of the KVNO. The
change from commit 35b2fb4ff32 resulted in breakage for these kerberos
versions: 'net ads keytab create' reads a large KVNO from AD, and only
the lower 8 bits are stored. The next check then removed the entry again
as the 8bit value did not match the currently valid KVNO.

Fix this by limiting the check to only 8 bits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13478

Signed-off-by: Christof Schmitt <cs at samba.org>
---
 lib/krb5_wrap/krb5_samba.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index f49838c..7e90913 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1549,7 +1549,7 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
 		}
 
 		if (!flush &&
-		    (kt_entry.vno == kvno) &&
+		    ((kt_entry.vno & 0xff) == (kvno & 0xff)) &&
 		    (kt_entry_enctype != enctype))
 		{
 			DEBUG(5, (__location__ ": Saving entry with kvno [%d] "
-- 
1.8.3.1