From: Aaron Haslett Date: Mon, 30 Apr 2018 23:10:50 +0000 (+1200) Subject: auth: keytab invalidation fix X-Git-Tag: ldb-1.4.0~231 X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=8bd67c593da5525a63a1d596e2c7fe38bc7cee57 auth: keytab invalidation fix chgtdcpass should add a new DC password and delete the old ones but the bug exposed by this test causes the tool to remove only a single record from the old entries, leaving the old passwords functional. Since the tool is used by administrators who may have disclosed their domain join password and want to invalidate it, this is a security concern. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13415 Signed-off-by: Aaron Haslett Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Tue May 15 15:45:08 CEST 2018 on sn-devel-144 --- diff --git a/selftest/knownfail.d/keytab b/selftest/knownfail.d/keytab index 6777d98ff28..e69de29bb2d 100644 --- a/selftest/knownfail.d/keytab +++ b/selftest/knownfail.d/keytab @@ -1 +0,0 @@ -^samba.unittests.kerberos.test_krb5_remove_obsolete_keytab_entries_many diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index 618da626652..50bf8feec96 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -633,7 +633,7 @@ krb5_error_code smb_krb5_remove_obsolete_keytab_entries(TALLOC_CTX *mem_ctx, krb5_kt_free_entry(context, &entry); /* Make sure we do not double free */ ZERO_STRUCT(entry); - } while (code != 0); + } while (code == 0); krb5_kt_end_seq_get(context, keytab, &cursor);