MIT kerberos 1.13 and older only stores 8 bits of the KVNO. The change from commit 35b2fb4ff32 resulted in breakage for these kerberos
versions: 'net ads keytab create' reads a large KVNO from AD, and only the lower 8 bits are stored. The next check then removed the entry again as the 8 bit value did not match the currently valid KVNO.
Fix this by limiting the check to only 8 bits.
97eaeea6a13 krb5_wrap: fix keep_old_entries logic for older kerberos libraries
lib/krb5_wrap/krb5_samba.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)