ipa-pwd-extop: Use the proper mkvno number in keys

Setting 0 will work as MIT KDCs assume the current master key when that is
found. But it is a legacy compatibility mode and we should instead set the
proper mkvno number on keys so changeing master key becomes possible w/o
having to do a dump reload and stopping the service. This is especially
important in replicated environments.

4 files changed, 6 insertions, 6 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index d03579fa..28b84f43 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -680,8 +680,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
 	kset->major_vno = 1;
 	kset->minor_vno = 1;
 	kset->kvno = kvno;
-	/* we also assum mkvno is 0 */
-	kset->mkvno = 0;
+	kset->mkvno = krbcfg->mkvno;
 
 	kset->keys = NULL;
 	kset->num_keys = 0;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
index 75e82d3e..ed979882 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
@@ -105,6 +105,7 @@ struct ipapwd_encsalt {
 struct ipapwd_krbcfg {
     krb5_context krbctx;
     char *realm;
+    int mkvno;
     krb5_keyblock *kmkey;
     int num_supp_encsalts;
     struct ipapwd_encsalt *supp_encsalts;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
index 9e292b22..a4b4eb6a 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
@@ -152,7 +152,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
     Slapi_Attr *a;
     Slapi_Value *v;
     BerElement *be = NULL;
-    ber_tag_t tag, tmp;
+    ber_tag_t tag, tvno;
     ber_int_t ttype;
     const struct berval *bval;
     struct berval *mkey = NULL;
@@ -219,12 +219,13 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
         goto free_and_error;
     }
 
-    tag = ber_scanf(be, "{i{iO}}", &tmp, &ttype, &mkey);
+    tag = ber_scanf(be, "{i{iO}}", &tvno, &ttype, &mkey);
     if (tag == LBER_ERROR) {
         LOG_FATAL("Bad Master key encoding ?!\n");
         goto free_and_error;
     }
 
+    config->mkvno = tvno;
     kmkey->magic = KV5M_KEYBLOCK;
     kmkey->enctype = ttype;
     kmkey->length = mkey->bv_len;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
index 970d26b5..6be02f9f 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
@@ -298,8 +298,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
     kset->minor_vno = 1;
     /* increment kvno (will be 1 if this is a new entry) */
     kset->kvno = kvno + 1;
-    /* we also assum mkvno is 0 */
-    kset->mkvno = 0;
+    kset->mkvno = krbcfg->mkvno;
 
     kset->num_keys = krbcfg->num_pref_encsalts;
     kset->keys = calloc(kset->num_keys, sizeof(struct ipapwd_krbkey));