This fixes an regression introduced in
5c5d586d3ebd40 at a higher level
in the caller smb_krb5_kt_add_entry(): calling smb_krb5_kt_add_entry
with keep_old_entries=false resulted in only one enctype per principal
remaining in the exported keytab.
The function smb_krb5_kt_seek_and_delete_old_entries() is called from
smb_krb5_kt_add_entry() when adding keys to a keytab. When the keytab
contains keys with the same kvno as the key to be added and
keep_old_entries is false, the key is deleted without checking the
encryption type of the key. This means that when adding keys for a
principal only the last enctype will be in the exported keytab.
Fix this by checking the encryption type and only treat a key as "old"
if keytab_key_kvno <= new_key_kvno and keytab_key_enctype ==
new_key_enctype.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
DEBUG(3, (__location__ ": Will try to delete old keytab entries\n"));
while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
bool name_ok = false;
DEBUG(3, (__location__ ": Will try to delete old keytab entries\n"));
while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
bool name_ok = false;
+ krb5_enctype kt_entry_enctype =
+ smb_get_enctype_from_kt_entry(&kt_entry);
if (!flush && (princ_s != NULL)) {
ret = smb_krb5_unparse_name(tmp_ctx, context,
if (!flush && (princ_s != NULL)) {
ret = smb_krb5_unparse_name(tmp_ctx, context,
+ if (!flush &&
+ (kt_entry.vno == kvno) &&
+ (kt_entry_enctype != enctype))
+ {
+ DEBUG(5, (__location__ ": Saving entry with kvno [%d] "
+ "enctype [%d] for principal: %s.\n",
+ kvno, kt_entry_enctype, princ_s));
+ continue;
+ }
+
DEBUG(5, (__location__ ": Found old entry for principal: %s "
"(kvno %d) - trying to remove it.\n",
princ_s, kt_entry.vno));
DEBUG(5, (__location__ ": Found old entry for principal: %s "
"(kvno %d) - trying to remove it.\n",
princ_s, kt_entry.vno));