From: Tom Yu Date: Sat, 2 Aug 2014 18:20:33 +0000 (-0400) Subject: Use write lock flag for update_princ_encryption X-Git-Tag: krb5-1.13-alpha1~26 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d3db948464bf7a38afa458f2f54867d107bbb72;p=thirdparty%2Fkrb5.git Use write lock flag for update_princ_encryption In kdb5_util update_princ_encryption, instead of getting a write lock on the KDB surrounding the call to krb5_db_iterate(), use the iterflags parameter of krb5_db_iterate() to request that it obtain a write lock around the iteration. ticket: 7977 --- diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c index aefde7b673..9088d5f012 100644 --- a/src/kadmin/dbutil/kdb5_mkey.c +++ b/src/kadmin/dbutil/kdb5_mkey.c @@ -912,6 +912,7 @@ kdb5_update_princ_encryption(int argc, char *argv[]) char *regexp = NULL; krb5_keyblock *act_mkey; krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context); + krb5_flags iterflags; while ((optchar = getopt(argc, argv, "fnv")) != -1) { switch (optchar) { @@ -1025,23 +1026,17 @@ kdb5_update_princ_encryption(int argc, char *argv[]) if (!data.dry_run) { /* Grab a write lock so we don't have to upgrade to a write lock and * reopen the DB while iterating. */ - retval = krb5_db_lock(util_context, KRB5_DB_LOCKMODE_EXCLUSIVE); - if (retval != 0 && retval != KRB5_PLUGIN_OP_NOTSUPP) { - com_err(progname, retval, _("trying to lock database")); - exit_status++; - } + iterflags = KRB5_DB_ITER_WRITE; } retval = krb5_db_iterate(util_context, name_pattern, - update_princ_encryption_1, &data, 0); + update_princ_encryption_1, &data, iterflags); /* If exit_status is set, then update_princ_encryption_1 already printed a message. */ if (retval != 0 && exit_status == 0) { com_err(progname, retval, _("trying to process principal database")); exit_status++; } - if (!data.dry_run) - (void)krb5_db_unlock(util_context); (void) krb5_db_fini(util_context); if (data.dry_run) { printf(_("%u principals processed: %u would be updated, %u already "