From 956c6562ebaaec6f41d5b9e86af7ffe377ab00ab Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 26 Oct 2022 11:03:34 +0200 Subject: [PATCH] lib/krb5_wrap: add explicit keep_old_kvno/enctype_only args to smb_krb5_kt_seek_and_delete_old_entries() Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison --- lib/krb5_wrap/krb5_samba.c | 24 +++++++++++++++++++++--- lib/krb5_wrap/krb5_samba.h | 2 ++ source3/libads/kerberos_keytab.c | 2 ++ 3 files changed, 25 insertions(+), 3 deletions(-) diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index 9515c5e7452..6edb2b84d75 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -1630,8 +1630,12 @@ krb5_error_code smb_krb5_kt_get_name(TALLOC_CTX *mem_ctx, * * @param[in] keytab The keytab to operate on. * + * @param[in] keep_old_kvno Keep the entries with the previous kvno. + * * @param[in] kvno The kvnco to use. * + * @param[in] enctype_only Only evaluate the enctype argument if true + * * @param[in] enctype Only search for entries with the specified enctype * * @param[in] princ_s The principal as a string to search for. @@ -1646,7 +1650,9 @@ krb5_error_code smb_krb5_kt_get_name(TALLOC_CTX *mem_ctx, */ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context, krb5_keytab keytab, + bool keep_old_kvno, krb5_kvno kvno, + bool enctype_only, krb5_enctype enctype, const char *princ_s, krb5_principal princ, @@ -1659,6 +1665,16 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context, krb5_kvno old_kvno = kvno - 1; TALLOC_CTX *tmp_ctx; + if (flush) { + SMB_ASSERT(!keep_old_kvno); + SMB_ASSERT(!enctype_only); + SMB_ASSERT(princ_s == NULL); + SMB_ASSERT(princ == NULL); + } else { + SMB_ASSERT(princ_s != NULL); + SMB_ASSERT(princ != NULL); + } + ZERO_STRUCT(cursor); ZERO_STRUCT(kt_entry); @@ -1679,7 +1695,7 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context, krb5_enctype kt_entry_enctype = smb_krb5_kt_get_enctype_from_entry(&kt_entry); - if (!flush && (princ_s != NULL)) { + if (princ_s != NULL) { ret = smb_krb5_unparse_name(tmp_ctx, context, kt_entry.principal, &ktprinc); @@ -1733,14 +1749,14 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context, * the compare accordingly. */ - if (!flush && ((kt_entry.vno & 0xff) == (old_kvno & 0xff))) { + if (keep_old_kvno && ((kt_entry.vno & 0xff) == (old_kvno & 0xff))) { DEBUG(5, (__location__ ": Saving previous (kvno %d) " "entry for principal: %s.\n", old_kvno, princ_s)); continue; } - if (!flush && + if (enctype_only && ((kt_entry.vno & 0xff) == (kvno & 0xff)) && (kt_entry_enctype != enctype)) { @@ -1853,7 +1869,9 @@ krb5_error_code smb_krb5_kt_add_entry(krb5_context context, /* Seek and delete old keytab entries */ ret = smb_krb5_kt_seek_and_delete_old_entries(context, keytab, + true, /* keep_old_kvno */ kvno, + true, /* enctype_only */ enctype, princ_s, princ, diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h index 044e16d68f6..93a010323bf 100644 --- a/lib/krb5_wrap/krb5_samba.h +++ b/lib/krb5_wrap/krb5_samba.h @@ -213,7 +213,9 @@ krb5_error_code smb_krb5_kt_get_name(TALLOC_CTX *mem_ctx, const char **keytab_name); krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context, krb5_keytab keytab, + bool keep_old_kvno, krb5_kvno kvno, + bool enctype_only, krb5_enctype enctype, const char *princ_s, krb5_principal princ, diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c index 76bbe935ada..00f9a495920 100644 --- a/source3/libads/kerberos_keytab.c +++ b/source3/libads/kerberos_keytab.c @@ -483,7 +483,9 @@ int ads_keytab_flush(ADS_STRUCT *ads) /* Seek and delete all old keytab entries */ ret = smb_krb5_kt_seek_and_delete_old_entries(context, keytab, + false, /* keep_old_kvno */ -1, + false, /* enctype_only */ ENCTYPE_NULL, NULL, NULL, -- 2.11.4.GIT