auth: keytab invalidation fix

chgtdcpass should add a new DC password and delete the old ones but the bug
exposed by this test causes the tool to remove only a single record from
the old entries, leaving the old passwords functional.  Since the tool is
used by administrators who may have disclosed their domain join password and
want to invalidate it, this is a security concern.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13415

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue May 15 15:45:08 CEST 2018 on sn-devel-144

diff --git a/selftest/knownfail.d/keytab b/selftest/knownfail.d/keytab
index 6777d98ff288ff3794027d73d424c240a90a99bd..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 100644 (file)
--- a/selftest/knownfail.d/keytab
+++ b/selftest/knownfail.d/keytab
@@ -1 +0,0 @@
-^samba.unittests.kerberos.test_krb5_remove_obsolete_keytab_entries_many

diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 618da62665204c7e46cc86b8e73b9b77eef49b93..50bf8feec9680c75158cc98d00b286d847532f2d 100644 (file)
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -633,7 +633,7 @@ krb5_error_code smb_krb5_remove_obsolete_keytab_entries(TALLOC_CTX *mem_ctx,
                krb5_kt_free_entry(context, &entry);
                /* Make sure we do not double free */
                ZERO_STRUCT(entry);
-       } while (code != 0);
+       } while (code == 0);
 
        krb5_kt_end_seq_get(context, keytab, &cursor);