2004-06-17 21:39:51 +00:00
/*
Unix SMB / CIFS implementation .
kerberos keytab utility library
Copyright ( C ) Andrew Tridgell 2001
Copyright ( C ) Remus Koos 2001
Copyright ( C ) Luke Howard 2003
Copyright ( C ) Jim McDonough ( jmcd @ us . ibm . com ) 2003
2007-06-29 09:42:14 +00:00
Copyright ( C ) Guenther Deschner 2003
2004-06-17 21:39:51 +00:00
Copyright ( C ) Rakesh Patel 2004
Copyright ( C ) Dan Perry 2004
2004-06-17 23:07:20 +00:00
Copyright ( C ) Jeremy Allison 2004
2006-07-11 18:45:22 +00:00
Copyright ( C ) Gerald Carter 2006
2004-06-17 21:39:51 +00:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
the Free Software Foundation ; either version 3 of the License , or
2004-06-17 21:39:51 +00:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 00:52:41 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2004-06-17 21:39:51 +00:00
*/
# include "includes.h"
2009-11-27 15:52:57 +01:00
# include "smb_krb5.h"
2010-07-02 00:32:52 +02:00
# include "ads.h"
2010-08-05 02:25:37 +02:00
# include "secrets.h"
2004-06-17 21:39:51 +00:00
# ifdef HAVE_KRB5
2011-04-15 12:37:55 +02:00
# ifdef HAVE_ADS
2006-07-11 18:45:22 +00:00
/**********************************************************************
Adds a single service principal , i . e . ' host ' to the system keytab
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
int ads_keytab_add_entry ( ADS_STRUCT * ads , const char * srvPrinc )
{
krb5_error_code ret = 0 ;
krb5_context context = NULL ;
krb5_keytab keytab = NULL ;
krb5_data password ;
krb5_kvno kvno ;
2011-12-15 18:12:41 +01:00
krb5_enctype enctypes [ 6 ] = {
2010-08-18 04:33:32 -04:00
ENCTYPE_DES_CBC_CRC ,
ENCTYPE_DES_CBC_MD5 ,
2011-12-15 18:12:41 +01:00
# ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
ENCTYPE_AES128_CTS_HMAC_SHA1_96 ,
# endif
# ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
ENCTYPE_AES256_CTS_HMAC_SHA1_96 ,
# endif
2010-08-18 04:33:32 -04:00
ENCTYPE_ARCFOUR_HMAC ,
0
} ;
char * princ_s = NULL ;
char * short_princ_s = NULL ;
2016-02-29 16:21:56 +01:00
char * salt_princ_s = NULL ;
2006-07-11 18:45:22 +00:00
char * password_s = NULL ;
char * my_fqdn ;
2010-08-18 04:33:32 -04:00
TALLOC_CTX * tmpctx = NULL ;
2006-07-11 18:45:22 +00:00
char * machine_name ;
2010-08-18 04:33:32 -04:00
ADS_STATUS aderr ;
2016-02-29 16:21:56 +01:00
int i ;
2006-07-11 18:45:22 +00:00
initialize_krb5_error_table ( ) ;
ret = krb5_init_context ( & context ) ;
if ( ret ) {
2010-08-18 04:33:32 -04:00
DEBUG ( 1 , ( __location__ " : could not krb5_init_context: %s \n " ,
error_message ( ret ) ) ) ;
2006-07-11 18:45:22 +00:00
return - 1 ;
}
2007-06-29 08:56:35 +00:00
2016-08-29 11:03:51 +02:00
ret = smb_krb5_kt_open ( context , NULL , True , & keytab ) ;
2006-07-11 18:45:22 +00:00
if ( ret ) {
2016-08-29 11:03:51 +02:00
DEBUG ( 1 , ( " smb_krb5_kt_open failed (%s) \n " ,
2010-08-18 04:33:32 -04:00
error_message ( ret ) ) ) ;
2006-07-11 18:45:22 +00:00
goto out ;
}
/* retrieve the password */
if ( ! secrets_init ( ) ) {
2010-08-18 04:33:32 -04:00
DEBUG ( 1 , ( __location__ " : secrets_init failed \n " ) ) ;
2006-07-11 18:45:22 +00:00
ret = - 1 ;
goto out ;
}
password_s = secrets_fetch_machine_password ( lp_workgroup ( ) , NULL , NULL ) ;
if ( ! password_s ) {
2010-08-18 04:33:32 -04:00
DEBUG ( 1 , ( __location__ " : failed to fetch machine password \n " ) ) ;
2006-07-11 18:45:22 +00:00
ret = - 1 ;
goto out ;
}
2008-07-30 16:06:30 -07:00
ZERO_STRUCT ( password ) ;
2006-07-11 18:45:22 +00:00
password . data = password_s ;
password . length = strlen ( password_s ) ;
/* we need the dNSHostName value here */
2010-08-18 04:33:32 -04:00
tmpctx = talloc_init ( __location__ ) ;
if ( ! tmpctx ) {
DEBUG ( 0 , ( __location__ " : talloc_init() failed! \n " ) ) ;
2006-07-11 18:45:22 +00:00
ret = - 1 ;
goto out ;
}
2010-08-18 04:33:32 -04:00
2011-06-09 15:31:03 +10:00
my_fqdn = ads_get_dnshostname ( ads , tmpctx , lp_netbios_name ( ) ) ;
2010-08-18 04:33:32 -04:00
if ( ! my_fqdn ) {
DEBUG ( 0 , ( __location__ " : unable to determine machine "
" account's dns name in AD! \n " ) ) ;
2006-07-11 18:45:22 +00:00
ret = - 1 ;
2010-08-18 04:33:32 -04:00
goto out ;
2006-07-11 18:45:22 +00:00
}
2010-08-18 04:33:32 -04:00
2011-06-09 15:31:03 +10:00
machine_name = ads_get_samaccountname ( ads , tmpctx , lp_netbios_name ( ) ) ;
2010-08-18 04:33:32 -04:00
if ( ! machine_name ) {
DEBUG ( 0 , ( __location__ " : unable to determine machine "
" account's short name in AD! \n " ) ) ;
2006-07-11 18:45:22 +00:00
ret = - 1 ;
2010-08-18 04:33:32 -04:00
goto out ;
2006-07-11 18:45:22 +00:00
}
/*strip the trailing '$' */
machine_name [ strlen ( machine_name ) - 1 ] = ' \0 ' ;
2010-08-18 04:33:32 -04:00
/* Construct our principal */
2006-07-11 18:45:22 +00:00
if ( strchr_m ( srvPrinc , ' @ ' ) ) {
/* It's a fully-named principal. */
2010-08-18 04:33:32 -04:00
princ_s = talloc_asprintf ( tmpctx , " %s " , srvPrinc ) ;
if ( ! princ_s ) {
2008-12-23 11:56:48 -08:00
ret = - 1 ;
goto out ;
}
2006-07-11 18:45:22 +00:00
} else if ( srvPrinc [ strlen ( srvPrinc ) - 1 ] = = ' $ ' ) {
/* It's the machine account, as used by smbclient clients. */
2010-08-18 04:33:32 -04:00
princ_s = talloc_asprintf ( tmpctx , " %s@%s " ,
srvPrinc , lp_realm ( ) ) ;
if ( ! princ_s ) {
2008-12-23 11:56:48 -08:00
ret = - 1 ;
goto out ;
}
2006-07-11 18:45:22 +00:00
} else {
/* It's a normal service principal. Add the SPN now so that we
* can obtain credentials for it and double - check the salt value
* used to generate the service ' s keys . */
2010-08-18 04:33:32 -04:00
princ_s = talloc_asprintf ( tmpctx , " %s/%s@%s " ,
srvPrinc , my_fqdn , lp_realm ( ) ) ;
if ( ! princ_s ) {
2008-12-23 11:56:48 -08:00
ret = - 1 ;
goto out ;
}
2010-08-18 04:33:32 -04:00
short_princ_s = talloc_asprintf ( tmpctx , " %s/%s@%s " ,
srvPrinc , machine_name ,
lp_realm ( ) ) ;
2012-12-17 14:33:45 +01:00
if ( short_princ_s = = NULL ) {
2008-12-23 11:56:48 -08:00
ret = - 1 ;
goto out ;
}
2010-08-18 04:33:32 -04:00
/* According to http://support.microsoft.com/kb/326985/en-us,
certain principal names are automatically mapped to the
host / . . . principal in the AD account .
So only create these in the keytab , not in AD . - - jerry */
if ( ! strequal ( srvPrinc , " cifs " ) & &
! strequal ( srvPrinc , " host " ) ) {
DEBUG ( 3 , ( __location__ " : Attempting to add/update "
" '%s' \n " , princ_s ) ) ;
aderr = ads_add_service_principal_name ( ads ,
2011-06-09 15:31:03 +10:00
lp_netbios_name ( ) , my_fqdn , srvPrinc ) ;
2010-08-18 04:33:32 -04:00
if ( ! ADS_ERR_OK ( aderr ) ) {
DEBUG ( 1 , ( __location__ " : failed to "
" ads_add_service_principal_name. \n " ) ) ;
2006-07-11 18:45:22 +00:00
goto out ;
}
}
}
2011-06-09 15:31:03 +10:00
kvno = ( krb5_kvno ) ads_get_machine_kvno ( ads , lp_netbios_name ( ) ) ;
2010-08-18 04:33:32 -04:00
if ( kvno = = - 1 ) {
/* -1 indicates failure, everything else is OK */
DEBUG ( 1 , ( __location__ " : ads_get_machine_kvno failed to "
" determine the system's kvno. \n " ) ) ;
2006-07-11 18:45:22 +00:00
ret = - 1 ;
goto out ;
}
2010-08-18 04:33:32 -04:00
2016-02-29 16:21:56 +01:00
for ( i = 0 ; enctypes [ i ] ; i + + ) {
salt_princ_s = kerberos_fetch_salt_princ_for_host_princ ( context ,
princ_s ,
enctypes [ i ] ) ;
/* add the fqdn principal to the keytab */
ret = smb_krb5_kt_add_entry ( context ,
keytab ,
kvno ,
princ_s ,
salt_princ_s ,
enctypes [ i ] ,
2016-02-29 17:22:50 +01:00
& password ,
2016-02-29 16:21:56 +01:00
false ,
false ) ;
2010-08-18 04:33:32 -04:00
if ( ret ) {
2016-02-29 16:21:56 +01:00
DEBUG ( 1 , ( __location__ " : Failed to add entry to keytab \n " ) ) ;
SAFE_FREE ( salt_princ_s ) ;
2006-07-11 18:45:22 +00:00
goto out ;
}
2016-02-29 16:21:56 +01:00
/* add the short principal name if we have one */
if ( short_princ_s ) {
ret = smb_krb5_kt_add_entry ( context ,
keytab ,
kvno ,
short_princ_s ,
salt_princ_s ,
enctypes [ i ] ,
2016-02-29 17:22:50 +01:00
& password ,
2016-02-29 16:21:56 +01:00
false ,
false ) ;
if ( ret ) {
DEBUG ( 1 , ( __location__
" : Failed to add short entry to keytab \n " ) ) ;
SAFE_FREE ( salt_princ_s ) ;
goto out ;
}
}
SAFE_FREE ( salt_princ_s ) ;
2006-07-11 18:45:22 +00:00
}
out :
2010-08-18 04:33:32 -04:00
TALLOC_FREE ( tmpctx ) ;
2004-06-17 23:07:20 +00:00
if ( keytab ) {
krb5_kt_close ( context , keytab ) ;
2004-06-17 21:39:51 +00:00
}
2004-06-17 23:07:20 +00:00
if ( context ) {
krb5_free_context ( context ) ;
2004-06-17 21:39:51 +00:00
}
2004-06-17 23:07:20 +00:00
return ( int ) ret ;
2004-06-17 21:39:51 +00:00
}
2004-06-18 00:24:53 +00:00
/**********************************************************************
2004-06-18 23:15:42 +00:00
Flushes all entries from the system keytab .
2004-06-18 00:24:53 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-06-17 21:39:51 +00:00
int ads_keytab_flush ( ADS_STRUCT * ads )
{
2004-06-18 02:07:42 +00:00
krb5_error_code ret = 0 ;
krb5_context context = NULL ;
krb5_keytab keytab = NULL ;
2004-06-17 21:39:51 +00:00
krb5_kvno kvno ;
2010-08-18 04:16:41 -04:00
ADS_STATUS aderr ;
2004-06-24 19:48:52 +00:00
2004-06-17 21:39:51 +00:00
initialize_krb5_error_table ( ) ;
ret = krb5_init_context ( & context ) ;
if ( ret ) {
2010-08-18 04:16:41 -04:00
DEBUG ( 1 , ( __location__ " : could not krb5_init_context: %s \n " ,
error_message ( ret ) ) ) ;
2004-06-17 21:39:51 +00:00
return ret ;
}
2007-06-29 08:56:35 +00:00
2016-08-29 11:03:51 +02:00
ret = smb_krb5_kt_open ( context , NULL , True , & keytab ) ;
2004-06-17 21:39:51 +00:00
if ( ret ) {
2016-08-29 11:03:51 +02:00
DEBUG ( 1 , ( " smb_krb5_kt_open failed (%s) \n " ,
2010-08-18 04:16:41 -04:00
error_message ( ret ) ) ) ;
2004-06-17 21:39:51 +00:00
goto out ;
}
2011-06-09 15:31:03 +10:00
kvno = ( krb5_kvno ) ads_get_machine_kvno ( ads , lp_netbios_name ( ) ) ;
2010-08-18 04:16:41 -04:00
if ( kvno = = - 1 ) {
/* -1 indicates a failure */
DEBUG ( 1 , ( __location__ " : Error determining the kvno. \n " ) ) ;
2004-06-17 21:39:51 +00:00
goto out ;
}
2010-08-18 04:16:41 -04:00
/* Seek and delete old keytab entries */
2016-02-29 17:31:56 +01:00
ret = smb_krb5_kt_seek_and_delete_old_entries ( context ,
keytab ,
kvno ,
2016-04-26 15:45:17 +02:00
ENCTYPE_NULL ,
2016-02-29 17:31:56 +01:00
NULL ,
NULL ,
true ,
false ) ;
2010-08-18 04:16:41 -04:00
if ( ret ) {
goto out ;
2004-06-17 21:39:51 +00:00
}
2004-06-18 23:15:42 +00:00
2011-06-09 15:31:03 +10:00
aderr = ads_clear_service_principal_names ( ads , lp_netbios_name ( ) ) ;
2010-08-18 04:16:41 -04:00
if ( ! ADS_ERR_OK ( aderr ) ) {
DEBUG ( 1 , ( __location__ " : Error while clearing service "
" principal listings in LDAP. \n " ) ) ;
2004-06-17 21:39:51 +00:00
goto out ;
}
out :
2004-06-18 02:07:42 +00:00
if ( keytab ) {
krb5_kt_close ( context , keytab ) ;
}
if ( context ) {
krb5_free_context ( context ) ;
}
2004-06-17 21:39:51 +00:00
return ret ;
}
2004-06-18 23:15:42 +00:00
/**********************************************************************
Adds all the required service principals to the system keytab .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-06-17 21:39:51 +00:00
int ads_keytab_create_default ( ADS_STRUCT * ads )
{
2004-06-18 23:15:42 +00:00
krb5_error_code ret = 0 ;
krb5_context context = NULL ;
krb5_keytab keytab = NULL ;
2015-03-04 10:09:51 +01:00
krb5_kt_cursor cursor = { 0 } ;
2015-03-04 10:09:18 +01:00
krb5_keytab_entry kt_entry = { 0 } ;
2004-06-17 21:39:51 +00:00
krb5_kvno kvno ;
2014-09-24 10:51:33 +02:00
size_t found = 0 ;
2006-07-11 18:45:22 +00:00
char * sam_account_name , * upn ;
2005-03-11 20:59:16 +00:00
char * * oldEntries = NULL , * princ_s [ 26 ] ;
2014-09-24 10:51:33 +02:00
TALLOC_CTX * frame ;
2010-08-18 06:09:27 -04:00
char * machine_name ;
2014-09-24 10:51:33 +02:00
char * * spn_array ;
size_t num_spns ;
size_t i ;
ADS_STATUS status ;
2006-07-11 18:45:22 +00:00
2015-05-02 13:44:52 +03:00
ZERO_STRUCT ( kt_entry ) ;
ZERO_STRUCT ( cursor ) ;
2014-09-24 10:51:33 +02:00
frame = talloc_stackframe ( ) ;
if ( frame = = NULL ) {
ret = - 1 ;
goto done ;
}
status = ads_get_service_principal_names ( frame ,
ads ,
lp_netbios_name ( ) ,
& spn_array ,
& num_spns ) ;
if ( ! ADS_ERR_OK ( status ) ) {
ret = - 1 ;
goto done ;
2004-06-17 21:39:51 +00:00
}
2006-07-11 18:45:22 +00:00
2014-09-24 10:51:33 +02:00
for ( i = 0 ; i < num_spns ; i + + ) {
char * srv_princ ;
char * p ;
srv_princ = strlower_talloc ( frame , spn_array [ i ] ) ;
if ( srv_princ = = NULL ) {
ret = - 1 ;
goto done ;
}
p = strchr_m ( srv_princ , ' / ' ) ;
if ( p = = NULL ) {
continue ;
}
p [ 0 ] = ' \0 ' ;
/* Add the SPNs found on the DC */
ret = ads_keytab_add_entry ( ads , srv_princ ) ;
if ( ret ! = 0 ) {
DEBUG ( 1 , ( " ads_keytab_add_entry failed while "
" adding '%s' principal. \n " ,
spn_array [ i ] ) ) ;
goto done ;
}
}
2006-07-11 18:45:22 +00:00
2010-08-18 06:09:27 -04:00
#if 0 /* don't create the CIFS/... keytab entries since no one except smbd
really needs them and we will fall back to verifying against
secrets . tdb */
ret = ads_keytab_add_entry ( ads , " cifs " ) ) ;
if ( ret ! = 0 ) {
DEBUG ( 1 , ( __location__ " : ads_keytab_add_entry failed while "
" adding 'cifs'. \n " ) ) ;
2004-06-17 21:39:51 +00:00
return ret ;
}
2006-07-11 18:45:22 +00:00
# endif
2004-06-17 21:39:51 +00:00
2010-08-18 06:09:27 -04:00
memset ( princ_s , ' \0 ' , sizeof ( princ_s ) ) ;
initialize_krb5_error_table ( ) ;
ret = krb5_init_context ( & context ) ;
if ( ret ) {
DEBUG ( 1 , ( __location__ " : could not krb5_init_context: %s \n " ,
error_message ( ret ) ) ) ;
goto done ;
}
2007-01-02 21:29:09 +00:00
2014-09-24 10:51:33 +02:00
machine_name = talloc_strdup ( frame , lp_netbios_name ( ) ) ;
2010-08-18 06:09:27 -04:00
if ( ! machine_name ) {
ret = - 1 ;
goto done ;
2006-07-11 18:45:22 +00:00
}
2010-08-18 06:09:27 -04:00
/* now add the userPrincipalName and sAMAccountName entries */
2014-09-24 10:51:33 +02:00
sam_account_name = ads_get_samaccountname ( ads , frame , machine_name ) ;
2010-08-18 06:09:27 -04:00
if ( ! sam_account_name ) {
DEBUG ( 0 , ( __location__ " : unable to determine machine "
" account's name in AD! \n " ) ) ;
ret = - 1 ;
goto done ;
}
2007-01-02 21:29:09 +00:00
2010-08-18 06:09:27 -04:00
/* upper case the sAMAccountName to make it easier for apps to
know what case to use in the keytab file */
2012-08-08 15:35:28 -07:00
if ( ! strupper_m ( sam_account_name ) ) {
ret = - 1 ;
goto done ;
}
2007-01-02 21:29:09 +00:00
2010-08-18 06:09:27 -04:00
ret = ads_keytab_add_entry ( ads , sam_account_name ) ;
if ( ret ! = 0 ) {
DEBUG ( 1 , ( __location__ " : ads_keytab_add_entry() failed "
" while adding sAMAccountName (%s) \n " ,
sam_account_name ) ) ;
goto done ;
2006-07-11 18:45:22 +00:00
}
2010-08-18 06:09:27 -04:00
2006-07-11 18:45:22 +00:00
/* remember that not every machine account will have a upn */
2014-09-24 10:51:33 +02:00
upn = ads_get_upn ( ads , frame , machine_name ) ;
2010-08-18 06:09:27 -04:00
if ( upn ) {
ret = ads_keytab_add_entry ( ads , upn ) ;
if ( ret ! = 0 ) {
DEBUG ( 1 , ( __location__ " : ads_keytab_add_entry() "
" failed while adding UPN (%s) \n " , upn ) ) ;
goto done ;
2004-10-30 00:34:58 +00:00
}
}
2010-08-18 06:09:27 -04:00
/* Now loop through the keytab and update any other existing entries */
kvno = ( krb5_kvno ) ads_get_machine_kvno ( ads , machine_name ) ;
2014-09-24 10:51:33 +02:00
if ( kvno = = ( krb5_kvno ) - 1 ) {
2010-08-18 06:09:27 -04:00
DEBUG ( 1 , ( __location__ " : ads_get_machine_kvno() failed to "
" determine the system's kvno. \n " ) ) ;
goto done ;
2004-06-17 21:39:51 +00:00
}
2004-06-18 23:15:42 +00:00
2010-08-18 06:09:27 -04:00
DEBUG ( 3 , ( __location__ " : Searching for keytab entries to preserve "
" and update. \n " ) ) ;
2007-06-29 09:54:39 +00:00
2016-08-29 11:03:51 +02:00
ret = smb_krb5_kt_open ( context , NULL , True , & keytab ) ;
2004-06-17 21:39:51 +00:00
if ( ret ) {
2016-08-29 11:03:51 +02:00
DEBUG ( 1 , ( " smb_krb5_kt_open failed (%s) \n " ,
2010-08-18 06:09:27 -04:00
error_message ( ret ) ) ) ;
2007-06-29 09:58:11 +00:00
goto done ;
2004-06-17 21:39:51 +00:00
}
ret = krb5_kt_start_seq_get ( context , keytab , & cursor ) ;
if ( ret ! = KRB5_KT_END & & ret ! = ENOENT ) {
2010-08-18 06:09:27 -04:00
while ( ( ret = krb5_kt_next_entry ( context , keytab ,
& kt_entry , & cursor ) ) = = 0 ) {
2004-06-24 05:56:44 +00:00
smb_krb5_kt_free_entry ( context , & kt_entry ) ;
2004-06-18 23:15:42 +00:00
ZERO_STRUCT ( kt_entry ) ;
2004-06-17 21:39:51 +00:00
found + + ;
}
}
2004-06-18 23:15:42 +00:00
krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
2004-06-24 19:48:52 +00:00
ZERO_STRUCT ( cursor ) ;
2004-06-17 21:39:51 +00:00
2004-06-18 23:15:42 +00:00
/*
2010-08-18 06:09:27 -04:00
* Hmmm . There is no " rewind " function for the keytab . This means we
* have a race condition where someone else could add entries after
* we ' ve counted them . Re - open asap to minimise the race . JRA .
2004-06-18 23:15:42 +00:00
*/
2014-09-24 10:51:33 +02:00
DEBUG ( 3 , ( __location__ " : Found %zd entries in the keytab. \n " , found ) ) ;
2004-06-17 21:39:51 +00:00
if ( ! found ) {
goto done ;
}
2010-08-18 06:09:27 -04:00
2014-11-12 17:21:05 +01:00
oldEntries = talloc_zero_array ( frame , char * , found + 1 ) ;
2004-06-17 21:39:51 +00:00
if ( ! oldEntries ) {
2010-08-18 06:09:27 -04:00
DEBUG ( 1 , ( __location__ " : Failed to allocate space to store "
" the old keytab entries (talloc failed?). \n " ) ) ;
2004-06-18 23:15:42 +00:00
ret = - 1 ;
goto done ;
2004-06-17 21:39:51 +00:00
}
ret = krb5_kt_start_seq_get ( context , keytab , & cursor ) ;
2010-08-18 06:09:27 -04:00
if ( ret = = KRB5_KT_END | | ret = = ENOENT ) {
krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
ZERO_STRUCT ( cursor ) ;
goto done ;
}
2004-06-18 23:15:42 +00:00
2010-08-18 06:09:27 -04:00
while ( krb5_kt_next_entry ( context , keytab , & kt_entry , & cursor ) = = 0 ) {
if ( kt_entry . vno ! = kvno ) {
char * ktprinc = NULL ;
char * p ;
2004-10-30 00:34:58 +00:00
2010-08-18 06:09:27 -04:00
/* This returns a malloc'ed string in ktprinc. */
ret = smb_krb5_unparse_name ( oldEntries , context ,
kt_entry . principal ,
& ktprinc ) ;
if ( ret ) {
DEBUG ( 1 , ( __location__
" : smb_krb5_unparse_name failed "
" (%s) \n " , error_message ( ret ) ) ) ;
goto done ;
}
/*
* From looking at the krb5 source they don ' t seem to
* take locale or mb strings into account .
* Maybe this is because they assume utf8 ?
* In this case we may need to convert from utf8 to
* mb charset here ? JRA .
*/
p = strchr_m ( ktprinc , ' @ ' ) ;
if ( p ) {
* p = ' \0 ' ;
}
p = strchr_m ( ktprinc , ' / ' ) ;
if ( p ) {
* p = ' \0 ' ;
}
for ( i = 0 ; i < found ; i + + ) {
if ( ! oldEntries [ i ] ) {
oldEntries [ i ] = ktprinc ;
break ;
2004-06-17 21:39:51 +00:00
}
2010-08-18 06:09:27 -04:00
if ( ! strcmp ( oldEntries [ i ] , ktprinc ) ) {
2009-03-18 16:23:27 +11:00
TALLOC_FREE ( ktprinc ) ;
2010-08-18 06:09:27 -04:00
break ;
2004-06-23 00:20:31 +00:00
}
2004-06-17 21:39:51 +00:00
}
2010-08-18 06:09:27 -04:00
if ( i = = found ) {
TALLOC_FREE ( ktprinc ) ;
}
2004-06-17 21:39:51 +00:00
}
2010-08-18 06:09:27 -04:00
smb_krb5_kt_free_entry ( context , & kt_entry ) ;
ZERO_STRUCT ( kt_entry ) ;
2004-06-17 21:39:51 +00:00
}
2015-05-02 13:44:53 +03:00
krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
ZERO_STRUCT ( cursor ) ;
2010-08-18 06:09:27 -04:00
ret = 0 ;
for ( i = 0 ; oldEntries [ i ] ; i + + ) {
ret | = ads_keytab_add_entry ( ads , oldEntries [ i ] ) ;
TALLOC_FREE ( oldEntries [ i ] ) ;
}
2004-06-17 21:39:51 +00:00
done :
2009-03-18 16:23:27 +11:00
TALLOC_FREE ( oldEntries ) ;
2014-09-24 10:51:33 +02:00
TALLOC_FREE ( frame ) ;
2004-06-18 23:15:42 +00:00
2016-06-08 14:50:59 -07:00
if ( context ) {
2004-06-18 23:15:42 +00:00
krb5_keytab_entry zero_kt_entry ;
2016-06-08 14:50:59 -07:00
krb5_kt_cursor zero_csr ;
2004-06-18 23:15:42 +00:00
ZERO_STRUCT ( zero_kt_entry ) ;
2016-06-08 14:50:59 -07:00
ZERO_STRUCT ( zero_csr ) ;
2010-08-18 06:09:27 -04:00
if ( memcmp ( & zero_kt_entry , & kt_entry ,
sizeof ( krb5_keytab_entry ) ) ) {
2004-06-24 05:56:44 +00:00
smb_krb5_kt_free_entry ( context , & kt_entry ) ;
2004-06-18 23:15:42 +00:00
}
2010-08-18 06:09:27 -04:00
if ( ( memcmp ( & cursor , & zero_csr ,
sizeof ( krb5_kt_cursor ) ) ! = 0 ) & & keytab ) {
krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
2004-06-24 19:48:52 +00:00
}
2016-06-08 14:50:59 -07:00
if ( keytab ) {
krb5_kt_close ( context , keytab ) ;
}
2004-06-18 23:15:42 +00:00
krb5_free_context ( context ) ;
}
2004-06-17 21:39:51 +00:00
return ret ;
}
2007-04-23 08:40:54 +00:00
2011-04-15 12:37:55 +02:00
# endif /* HAVE_ADS */
2007-04-23 08:40:54 +00:00
/**********************************************************************
List system keytab .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-06-29 09:01:29 +00:00
int ads_keytab_list ( const char * keytab_name )
2007-04-23 08:40:54 +00:00
{
krb5_error_code ret = 0 ;
krb5_context context = NULL ;
krb5_keytab keytab = NULL ;
krb5_kt_cursor cursor ;
krb5_keytab_entry kt_entry ;
ZERO_STRUCT ( kt_entry ) ;
ZERO_STRUCT ( cursor ) ;
initialize_krb5_error_table ( ) ;
ret = krb5_init_context ( & context ) ;
if ( ret ) {
2010-08-18 06:46:53 -04:00
DEBUG ( 1 , ( __location__ " : could not krb5_init_context: %s \n " ,
error_message ( ret ) ) ) ;
2007-04-23 08:40:54 +00:00
return ret ;
}
2007-06-29 08:56:35 +00:00
2016-08-29 11:03:51 +02:00
ret = smb_krb5_kt_open ( context , keytab_name , False , & keytab ) ;
2007-04-23 08:40:54 +00:00
if ( ret ) {
2016-08-29 11:03:51 +02:00
DEBUG ( 1 , ( " smb_krb5_kt_open failed (%s) \n " ,
2010-08-18 06:46:53 -04:00
error_message ( ret ) ) ) ;
2007-04-23 08:40:54 +00:00
goto out ;
}
ret = krb5_kt_start_seq_get ( context , keytab , & cursor ) ;
if ( ret ) {
2010-08-31 14:27:56 +02:00
ZERO_STRUCT ( cursor ) ;
2007-04-23 08:40:54 +00:00
goto out ;
}
2012-01-06 17:48:58 +01:00
printf ( " Vno Type Principal \n " ) ;
2007-04-23 08:40:54 +00:00
while ( krb5_kt_next_entry ( context , keytab , & kt_entry , & cursor ) = = 0 ) {
2010-08-18 06:46:53 -04:00
2007-04-23 08:40:54 +00:00
char * princ_s = NULL ;
char * etype_s = NULL ;
krb5_enctype enctype = 0 ;
2010-08-18 06:46:53 -04:00
ret = smb_krb5_unparse_name ( talloc_tos ( ) , context ,
kt_entry . principal , & princ_s ) ;
2007-04-23 08:40:54 +00:00
if ( ret ) {
goto out ;
}
2016-08-29 09:17:37 +02:00
enctype = smb_krb5_kt_get_enctype_from_entry ( & kt_entry ) ;
2007-04-23 08:40:54 +00:00
ret = smb_krb5_enctype_to_string ( context , enctype , & etype_s ) ;
2010-08-18 06:46:53 -04:00
if ( ret & &
( asprintf ( & etype_s , " UNKNOWN: %d \n " , enctype ) = = - 1 ) ) {
TALLOC_FREE ( princ_s ) ;
goto out ;
2007-04-23 08:40:54 +00:00
}
2012-01-06 17:48:58 +01:00
printf ( " %3d %-43s %s \n " , kt_entry . vno , etype_s , princ_s ) ;
2007-04-23 08:40:54 +00:00
2009-03-18 16:23:27 +11:00
TALLOC_FREE ( princ_s ) ;
2007-04-23 08:40:54 +00:00
SAFE_FREE ( etype_s ) ;
ret = smb_krb5_kt_free_entry ( context , & kt_entry ) ;
if ( ret ) {
goto out ;
}
}
ret = krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
if ( ret ) {
goto out ;
}
/* Ensure we don't double free. */
ZERO_STRUCT ( kt_entry ) ;
ZERO_STRUCT ( cursor ) ;
out :
{
krb5_keytab_entry zero_kt_entry ;
ZERO_STRUCT ( zero_kt_entry ) ;
2010-08-18 06:46:53 -04:00
if ( memcmp ( & zero_kt_entry , & kt_entry ,
sizeof ( krb5_keytab_entry ) ) ) {
2007-04-23 08:40:54 +00:00
smb_krb5_kt_free_entry ( context , & kt_entry ) ;
}
}
{
krb5_kt_cursor zero_csr ;
ZERO_STRUCT ( zero_csr ) ;
2010-08-18 06:46:53 -04:00
if ( ( memcmp ( & cursor , & zero_csr ,
sizeof ( krb5_kt_cursor ) ) ! = 0 ) & & keytab ) {
krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
2007-04-23 08:40:54 +00:00
}
}
if ( keytab ) {
krb5_kt_close ( context , keytab ) ;
}
if ( context ) {
krb5_free_context ( context ) ;
}
return ret ;
}
2004-06-17 21:39:51 +00:00
# endif /* HAVE_KRB5 */