krb5_wrap: fix keep_old_entries logic for older kerberos libraries

MIT kerberos 1.13 and older only stores 8 bits of the KVNO. The change
from commit 35b2fb4ff32 resulted in breakage for these kerberos
versions: 'net ads keytab create' reads a large KVNO from AD, and only
the lower 8 bits are stored. The next check then removed the entry again
as the 8 bit value did not match the currently valid KVNO.

Fix this by limiting the check to only 8 bits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13478

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Sat Jun 23 00:57:47 CEST 2018 on sn-devel-144

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index f49838cc61c0c3ded1749f5a34651d53fe3a3657..7e90913beb0f2875de2500575c0cc72b6123abbb 100644 (file)
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1549,7 +1549,7 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
                }
 
                if (!flush &&
                }
 
                if (!flush &&

-                   (kt_entry.vno == kvno) &&
+                   ((kt_entry.vno & 0xff) == (kvno & 0xff)) &&

                    (kt_entry_enctype != enctype))
                {
                        DEBUG(5, (__location__ ": Saving entry with kvno [%d] "
                    (kt_entry_enctype != enctype))
                {
                        DEBUG(5, (__location__ ": Saving entry with kvno [%d] "