2004-06-17 21:39:51 +00:00
/*
Unix SMB / CIFS implementation .
kerberos keytab utility library
Copyright ( C ) Andrew Tridgell 2001
Copyright ( C ) Remus Koos 2001
Copyright ( C ) Luke Howard 2003
Copyright ( C ) Jim McDonough ( jmcd @ us . ibm . com ) 2003
2007-06-29 09:42:14 +00:00
Copyright ( C ) Guenther Deschner 2003
2004-06-17 21:39:51 +00:00
Copyright ( C ) Rakesh Patel 2004
Copyright ( C ) Dan Perry 2004
2004-06-17 23:07:20 +00:00
Copyright ( C ) Jeremy Allison 2004
2006-07-11 18:45:22 +00:00
Copyright ( C ) Gerald Carter 2006
2004-06-17 21:39:51 +00:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
the Free Software Foundation ; either version 3 of the License , or
2004-06-17 21:39:51 +00:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 00:52:41 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2004-06-17 21:39:51 +00:00
*/
# include "includes.h"
# ifdef HAVE_KRB5
2004-06-17 23:07:20 +00:00
/**********************************************************************
2006-07-11 18:45:22 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-06-17 23:07:20 +00:00
2008-06-30 10:29:15 +02:00
int smb_krb5_kt_add_entry_ext ( krb5_context context ,
krb5_keytab keytab ,
krb5_kvno kvno ,
const char * princ_s ,
krb5_enctype * enctypes ,
krb5_data password ,
2008-06-30 10:32:15 +02:00
bool no_salt ,
bool keep_old_entries )
2004-06-17 21:39:51 +00:00
{
2004-06-17 23:07:20 +00:00
krb5_error_code ret = 0 ;
2004-06-24 19:48:52 +00:00
krb5_kt_cursor cursor ;
2004-06-17 23:07:20 +00:00
krb5_keytab_entry kt_entry ;
krb5_principal princ = NULL ;
2004-06-17 21:39:51 +00:00
int i ;
char * ktprinc = NULL ;
2004-06-17 23:07:20 +00:00
ZERO_STRUCT ( kt_entry ) ;
2004-06-24 19:48:52 +00:00
ZERO_STRUCT ( cursor ) ;
2006-07-11 18:45:22 +00:00
2006-04-24 15:57:54 +00:00
ret = smb_krb5_parse_name ( context , princ_s , & princ ) ;
2004-06-17 21:39:51 +00:00
if ( ret ) {
2008-06-30 10:29:15 +02:00
DEBUG ( 1 , ( " smb_krb5_kt_add_entry_ext: smb_krb5_parse_name(%s) failed (%s) \n " , princ_s , error_message ( ret ) ) ) ;
2004-06-17 21:39:51 +00:00
goto out ;
}
/* Seek and delete old keytab entries */
ret = krb5_kt_start_seq_get ( context , keytab , & cursor ) ;
if ( ret ! = KRB5_KT_END & & ret ! = ENOENT ) {
2008-06-30 10:29:15 +02:00
DEBUG ( 3 , ( " smb_krb5_kt_add_entry_ext: Will try to delete old keytab entries \n " ) ) ;
2004-06-17 23:07:20 +00:00
while ( ! krb5_kt_next_entry ( context , keytab , & kt_entry , & cursor ) ) {
2007-10-18 17:40:25 -07:00
bool compare_name_ok = False ;
2004-06-17 21:39:51 +00:00
2009-03-18 16:23:27 +11:00
ret = smb_krb5_unparse_name ( talloc_tos ( ) , context , kt_entry . principal , & ktprinc ) ;
2004-06-17 23:07:20 +00:00
if ( ret ) {
2008-06-30 10:29:15 +02:00
DEBUG ( 1 , ( " smb_krb5_kt_add_entry_ext: smb_krb5_unparse_name failed (%s) \n " ,
2006-04-24 15:57:54 +00:00
error_message ( ret ) ) ) ;
2004-06-17 23:07:20 +00:00
goto out ;
}
2004-06-17 21:39:51 +00:00
/*---------------------------------------------------------------------------
* Save the entries with kvno - 1. This is what microsoft does
* to allow people with existing sessions that have kvno - 1 to still
* work . Otherwise , when the password for the machine changes , all
* kerberizied sessions will ' break ' until either the client reboots or
* the client ' s session key expires and they get a new session ticket
* with the new kvno .
*/
# ifdef HAVE_KRB5_KT_COMPARE
2004-11-03 02:18:51 +00:00
compare_name_ok = ( krb5_kt_compare ( context , & kt_entry , princ , 0 , 0 ) = = True ) ;
2004-06-17 21:39:51 +00:00
# else
2004-11-03 02:18:51 +00:00
compare_name_ok = ( strcmp ( ktprinc , princ_s ) = = 0 ) ;
2004-06-17 21:39:51 +00:00
# endif
2004-11-03 02:18:51 +00:00
if ( ! compare_name_ok ) {
2008-06-30 10:29:15 +02:00
DEBUG ( 10 , ( " smb_krb5_kt_add_entry_ext: ignoring keytab entry principal %s, kvno = %d \n " ,
2004-11-03 02:18:51 +00:00
ktprinc , kt_entry . vno ) ) ;
}
2009-03-18 16:23:27 +11:00
TALLOC_FREE ( ktprinc ) ;
2004-06-18 00:24:53 +00:00
2004-11-03 02:18:51 +00:00
if ( compare_name_ok ) {
if ( kt_entry . vno = = kvno - 1 ) {
2008-06-30 10:29:15 +02:00
DEBUG ( 5 , ( " smb_krb5_kt_add_entry_ext: Saving previous (kvno %d) entry for principal: %s. \n " ,
2004-11-03 02:18:51 +00:00
kvno - 1 , princ_s ) ) ;
2008-06-30 10:32:15 +02:00
} else if ( ! keep_old_entries ) {
2008-06-30 10:29:15 +02:00
DEBUG ( 5 , ( " smb_krb5_kt_add_entry_ext: Found old entry for principal: %s (kvno %d) - trying to remove it. \n " ,
2004-11-03 02:18:51 +00:00
princ_s , kt_entry . vno ) ) ;
ret = krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
ZERO_STRUCT ( cursor ) ;
if ( ret ) {
2008-06-30 10:29:15 +02:00
DEBUG ( 1 , ( " smb_krb5_kt_add_entry_ext: krb5_kt_end_seq_get() failed (%s) \n " ,
2004-11-03 02:18:51 +00:00
error_message ( ret ) ) ) ;
goto out ;
}
ret = krb5_kt_remove_entry ( context , keytab , & kt_entry ) ;
if ( ret ) {
2008-06-30 10:29:15 +02:00
DEBUG ( 1 , ( " smb_krb5_kt_add_entry_ext: krb5_kt_remove_entry failed (%s) \n " ,
2004-11-03 02:18:51 +00:00
error_message ( ret ) ) ) ;
goto out ;
}
2008-06-30 10:29:15 +02:00
DEBUG ( 5 , ( " smb_krb5_kt_add_entry_ext: removed old entry for principal: %s (kvno %d). \n " ,
2004-11-03 02:18:51 +00:00
princ_s , kt_entry . vno ) ) ;
ret = krb5_kt_start_seq_get ( context , keytab , & cursor ) ;
if ( ret ) {
2008-06-30 10:29:15 +02:00
DEBUG ( 1 , ( " smb_krb5_kt_add_entry_ext: krb5_kt_start_seq failed (%s) \n " ,
2004-11-03 02:18:51 +00:00
error_message ( ret ) ) ) ;
goto out ;
}
ret = smb_krb5_kt_free_entry ( context , & kt_entry ) ;
ZERO_STRUCT ( kt_entry ) ;
if ( ret ) {
2008-06-30 10:29:15 +02:00
DEBUG ( 1 , ( " smb_krb5_kt_add_entry_ext: krb5_kt_remove_entry failed (%s) \n " ,
2004-11-03 02:18:51 +00:00
error_message ( ret ) ) ) ;
goto out ;
}
continue ;
2004-06-17 21:39:51 +00:00
}
}
2004-06-18 00:24:53 +00:00
/* Not a match, just free this entry and continue. */
2004-06-24 05:56:44 +00:00
ret = smb_krb5_kt_free_entry ( context , & kt_entry ) ;
2004-06-18 00:24:53 +00:00
ZERO_STRUCT ( kt_entry ) ;
2004-06-17 21:39:51 +00:00
if ( ret ) {
2008-06-30 10:29:15 +02:00
DEBUG ( 1 , ( " smb_krb5_kt_add_entry_ext: smb_krb5_kt_free_entry failed (%s) \n " , error_message ( ret ) ) ) ;
2004-06-17 21:39:51 +00:00
goto out ;
}
}
ret = krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
2004-06-24 19:48:52 +00:00
ZERO_STRUCT ( cursor ) ;
2004-06-17 21:39:51 +00:00
if ( ret ) {
2008-06-30 10:29:15 +02:00
DEBUG ( 1 , ( " smb_krb5_kt_add_entry_ext: krb5_kt_end_seq_get failed (%s) \n " , error_message ( ret ) ) ) ;
2004-06-17 21:39:51 +00:00
goto out ;
}
}
2004-06-18 00:24:53 +00:00
/* Ensure we don't double free. */
ZERO_STRUCT ( kt_entry ) ;
2004-06-24 19:48:52 +00:00
ZERO_STRUCT ( cursor ) ;
2004-06-17 21:39:51 +00:00
2004-06-18 00:24:53 +00:00
/* If we get here, we have deleted all the old entries with kvno's not equal to the current kvno-1. */
2004-06-17 21:39:51 +00:00
2004-06-18 00:24:53 +00:00
/* Now add keytab entries for all encryption types */
for ( i = 0 ; enctypes [ i ] ; i + + ) {
krb5_keyblock * keyp ;
2004-06-17 21:39:51 +00:00
2008-08-22 14:58:01 +02:00
keyp = KRB5_KT_KEY ( & kt_entry ) ;
2008-06-18 12:45:57 +02:00
if ( create_kerberos_key_from_string ( context , princ , & password , keyp , enctypes [ i ] , no_salt ) ) {
2004-06-18 00:24:53 +00:00
continue ;
}
kt_entry . principal = princ ;
kt_entry . vno = kvno ;
2008-06-30 10:29:15 +02:00
DEBUG ( 3 , ( " smb_krb5_kt_add_entry_ext: adding keytab entry for (%s) with encryption type (%d) and version (%d) \n " ,
2004-06-18 00:24:53 +00:00
princ_s , enctypes [ i ] , kt_entry . vno ) ) ;
ret = krb5_kt_add_entry ( context , keytab , & kt_entry ) ;
2004-06-22 21:58:35 +00:00
krb5_free_keyblock_contents ( context , keyp ) ;
2004-06-18 00:24:53 +00:00
ZERO_STRUCT ( kt_entry ) ;
2004-06-17 21:39:51 +00:00
if ( ret ) {
2008-06-30 10:29:15 +02:00
DEBUG ( 1 , ( " smb_krb5_kt_add_entry_ext: adding entry to keytab failed (%s) \n " , error_message ( ret ) ) ) ;
2004-06-17 21:39:51 +00:00
goto out ;
}
}
2004-06-18 00:24:53 +00:00
2004-06-17 21:39:51 +00:00
out :
2004-06-17 23:07:20 +00:00
{
krb5_keytab_entry zero_kt_entry ;
ZERO_STRUCT ( zero_kt_entry ) ;
if ( memcmp ( & zero_kt_entry , & kt_entry , sizeof ( krb5_keytab_entry ) ) ) {
2004-06-24 05:56:44 +00:00
smb_krb5_kt_free_entry ( context , & kt_entry ) ;
2004-06-17 23:07:20 +00:00
}
}
if ( princ ) {
krb5_free_principal ( context , princ ) ;
}
2006-07-11 18:45:22 +00:00
2004-06-24 19:48:52 +00:00
{
krb5_kt_cursor zero_csr ;
ZERO_STRUCT ( zero_csr ) ;
if ( ( memcmp ( & cursor , & zero_csr , sizeof ( krb5_kt_cursor ) ) ! = 0 ) & & keytab ) {
krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
}
2004-06-17 21:39:51 +00:00
}
2006-07-11 18:45:22 +00:00
return ( int ) ret ;
}
2008-07-18 16:41:34 +02:00
static int smb_krb5_kt_add_entry ( krb5_context context ,
krb5_keytab keytab ,
krb5_kvno kvno ,
const char * princ_s ,
krb5_enctype * enctypes ,
krb5_data password )
2008-06-30 10:29:15 +02:00
{
return smb_krb5_kt_add_entry_ext ( context ,
keytab ,
kvno ,
princ_s ,
enctypes ,
password ,
2008-06-30 10:32:15 +02:00
false ,
2008-06-30 10:29:15 +02:00
false ) ;
}
2006-07-11 18:45:22 +00:00
/**********************************************************************
Adds a single service principal , i . e . ' host ' to the system keytab
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
int ads_keytab_add_entry ( ADS_STRUCT * ads , const char * srvPrinc )
{
krb5_error_code ret = 0 ;
krb5_context context = NULL ;
krb5_keytab keytab = NULL ;
krb5_data password ;
krb5_kvno kvno ;
krb5_enctype enctypes [ 4 ] = { ENCTYPE_DES_CBC_CRC , ENCTYPE_DES_CBC_MD5 , 0 , 0 } ;
char * princ_s = NULL , * short_princ_s = NULL ;
char * password_s = NULL ;
char * my_fqdn ;
TALLOC_CTX * ctx = NULL ;
char * machine_name ;
# if defined(ENCTYPE_ARCFOUR_HMAC)
enctypes [ 2 ] = ENCTYPE_ARCFOUR_HMAC ;
# endif
initialize_krb5_error_table ( ) ;
ret = krb5_init_context ( & context ) ;
if ( ret ) {
DEBUG ( 1 , ( " ads_keytab_add_entry: could not krb5_init_context: %s \n " , error_message ( ret ) ) ) ;
return - 1 ;
}
2007-06-29 08:56:35 +00:00
ret = smb_krb5_open_keytab ( context , NULL , True , & keytab ) ;
2006-07-11 18:45:22 +00:00
if ( ret ) {
2007-06-29 08:56:35 +00:00
DEBUG ( 1 , ( " ads_keytab_add_entry: smb_krb5_open_keytab failed (%s) \n " , error_message ( ret ) ) ) ;
2006-07-11 18:45:22 +00:00
goto out ;
}
/* retrieve the password */
if ( ! secrets_init ( ) ) {
DEBUG ( 1 , ( " ads_keytab_add_entry: secrets_init failed \n " ) ) ;
ret = - 1 ;
goto out ;
}
password_s = secrets_fetch_machine_password ( lp_workgroup ( ) , NULL , NULL ) ;
if ( ! password_s ) {
DEBUG ( 1 , ( " ads_keytab_add_entry: failed to fetch machine password \n " ) ) ;
ret = - 1 ;
goto out ;
}
2008-07-30 16:06:30 -07:00
ZERO_STRUCT ( password ) ;
2006-07-11 18:45:22 +00:00
password . data = password_s ;
password . length = strlen ( password_s ) ;
/* we need the dNSHostName value here */
if ( ( ctx = talloc_init ( " ads_keytab_add_entry " ) ) = = NULL ) {
DEBUG ( 0 , ( " ads_keytab_add_entry: talloc() failed! \n " ) ) ;
ret = - 1 ;
goto out ;
}
if ( ( my_fqdn = ads_get_dnshostname ( ads , ctx , global_myname ( ) ) ) = = NULL ) {
DEBUG ( 0 , ( " ads_keytab_add_entry: unable to determine machine account's dns name in AD! \n " ) ) ;
ret = - 1 ;
goto out ;
}
if ( ( machine_name = ads_get_samaccountname ( ads , ctx , global_myname ( ) ) ) = = NULL ) {
DEBUG ( 0 , ( " ads_keytab_add_entry: unable to determine machine account's short name in AD! \n " ) ) ;
ret = - 1 ;
goto out ;
}
/*strip the trailing '$' */
machine_name [ strlen ( machine_name ) - 1 ] = ' \0 ' ;
/* Construct our principal */
if ( strchr_m ( srvPrinc , ' @ ' ) ) {
/* It's a fully-named principal. */
2008-12-23 11:56:48 -08:00
if ( asprintf ( & princ_s , " %s " , srvPrinc ) = = - 1 ) {
ret = - 1 ;
goto out ;
}
2006-07-11 18:45:22 +00:00
} else if ( srvPrinc [ strlen ( srvPrinc ) - 1 ] = = ' $ ' ) {
/* It's the machine account, as used by smbclient clients. */
2008-12-23 11:56:48 -08:00
if ( asprintf ( & princ_s , " %s@%s " , srvPrinc , lp_realm ( ) ) = = - 1 ) {
ret = - 1 ;
goto out ;
}
2006-07-11 18:45:22 +00:00
} else {
/* It's a normal service principal. Add the SPN now so that we
* can obtain credentials for it and double - check the salt value
* used to generate the service ' s keys . */
2008-12-23 11:56:48 -08:00
if ( asprintf ( & princ_s , " %s/%s@%s " , srvPrinc , my_fqdn , lp_realm ( ) ) = = - 1 ) {
ret = - 1 ;
goto out ;
}
if ( asprintf ( & short_princ_s , " %s/%s@%s " , srvPrinc , machine_name , lp_realm ( ) ) = = - 1 ) {
ret = - 1 ;
goto out ;
}
2006-07-11 18:45:22 +00:00
/* According to http://support.microsoft.com/kb/326985/en-us,
certain principal names are automatically mapped to the host / . . .
principal in the AD account . So only create these in the
keytab , not in AD . - - jerry */
if ( ! strequal ( srvPrinc , " cifs " ) & & ! strequal ( srvPrinc , " host " ) ) {
DEBUG ( 3 , ( " ads_keytab_add_entry: Attempting to add/update '%s' \n " , princ_s ) ) ;
if ( ! ADS_ERR_OK ( ads_add_service_principal_name ( ads , global_myname ( ) , my_fqdn , srvPrinc ) ) ) {
DEBUG ( 1 , ( " ads_keytab_add_entry: ads_add_service_principal_name failed. \n " ) ) ;
goto out ;
}
}
}
2008-06-17 16:20:29 +02:00
kvno = ( krb5_kvno ) ads_get_machine_kvno ( ads , global_myname ( ) ) ;
2006-07-11 18:45:22 +00:00
if ( kvno = = - 1 ) { /* -1 indicates failure, everything else is OK */
2008-06-17 16:20:29 +02:00
DEBUG ( 1 , ( " ads_keytab_add_entry: ads_get_machine_kvno failed to determine the system's kvno. \n " ) ) ;
2006-07-11 18:45:22 +00:00
ret = - 1 ;
goto out ;
}
/* add the fqdn principal to the keytab */
2008-06-30 10:29:15 +02:00
ret = smb_krb5_kt_add_entry ( context , keytab , kvno , princ_s , enctypes , password ) ;
2006-07-11 18:45:22 +00:00
if ( ret ) {
DEBUG ( 1 , ( " ads_keytab_add_entry: Failed to add entry to keytab file \n " ) ) ;
goto out ;
}
/* add the short principal name if we have one */
if ( short_princ_s ) {
2008-06-30 10:29:15 +02:00
ret = smb_krb5_kt_add_entry ( context , keytab , kvno , short_princ_s , enctypes , password ) ;
2006-07-11 18:45:22 +00:00
if ( ret ) {
DEBUG ( 1 , ( " ads_keytab_add_entry: Failed to add short entry to keytab file \n " ) ) ;
goto out ;
}
}
out :
SAFE_FREE ( princ_s ) ;
SAFE_FREE ( short_princ_s ) ;
TALLOC_FREE ( ctx ) ;
2004-06-17 23:07:20 +00:00
if ( keytab ) {
krb5_kt_close ( context , keytab ) ;
2004-06-17 21:39:51 +00:00
}
2004-06-17 23:07:20 +00:00
if ( context ) {
krb5_free_context ( context ) ;
2004-06-17 21:39:51 +00:00
}
2004-06-17 23:07:20 +00:00
return ( int ) ret ;
2004-06-17 21:39:51 +00:00
}
2004-06-18 00:24:53 +00:00
/**********************************************************************
2004-06-18 23:15:42 +00:00
Flushes all entries from the system keytab .
2004-06-18 00:24:53 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-06-17 21:39:51 +00:00
int ads_keytab_flush ( ADS_STRUCT * ads )
{
2004-06-18 02:07:42 +00:00
krb5_error_code ret = 0 ;
krb5_context context = NULL ;
krb5_keytab keytab = NULL ;
2004-06-24 19:48:52 +00:00
krb5_kt_cursor cursor ;
2004-06-18 02:07:42 +00:00
krb5_keytab_entry kt_entry ;
2004-06-17 21:39:51 +00:00
krb5_kvno kvno ;
2004-06-18 02:07:42 +00:00
ZERO_STRUCT ( kt_entry ) ;
2004-06-24 19:48:52 +00:00
ZERO_STRUCT ( cursor ) ;
2004-06-17 21:39:51 +00:00
initialize_krb5_error_table ( ) ;
ret = krb5_init_context ( & context ) ;
if ( ret ) {
2004-06-18 02:07:42 +00:00
DEBUG ( 1 , ( " ads_keytab_flush: could not krb5_init_context: %s \n " , error_message ( ret ) ) ) ;
2004-06-17 21:39:51 +00:00
return ret ;
}
2007-06-29 08:56:35 +00:00
ret = smb_krb5_open_keytab ( context , NULL , True , & keytab ) ;
2004-06-17 21:39:51 +00:00
if ( ret ) {
2007-06-29 08:56:35 +00:00
DEBUG ( 1 , ( " ads_keytab_flush: smb_krb5_open_keytab failed (%s) \n " , error_message ( ret ) ) ) ;
2004-06-17 21:39:51 +00:00
goto out ;
}
2008-06-17 16:20:29 +02:00
kvno = ( krb5_kvno ) ads_get_machine_kvno ( ads , global_myname ( ) ) ;
2004-06-17 21:39:51 +00:00
if ( kvno = = - 1 ) { /* -1 indicates a failure */
2004-06-18 02:07:42 +00:00
DEBUG ( 1 , ( " ads_keytab_flush: Error determining the system's kvno. \n " ) ) ;
2004-06-17 21:39:51 +00:00
goto out ;
}
ret = krb5_kt_start_seq_get ( context , keytab , & cursor ) ;
if ( ret ! = KRB5_KT_END & & ret ! = ENOENT ) {
2004-06-18 23:15:42 +00:00
while ( ! krb5_kt_next_entry ( context , keytab , & kt_entry , & cursor ) ) {
2004-06-17 21:39:51 +00:00
ret = krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
2004-06-24 19:48:52 +00:00
ZERO_STRUCT ( cursor ) ;
2004-06-17 21:39:51 +00:00
if ( ret ) {
2004-06-18 23:15:42 +00:00
DEBUG ( 1 , ( " ads_keytab_flush: krb5_kt_end_seq_get() failed (%s) \n " , error_message ( ret ) ) ) ;
2004-06-17 21:39:51 +00:00
goto out ;
}
2004-06-18 23:15:42 +00:00
ret = krb5_kt_remove_entry ( context , keytab , & kt_entry ) ;
2004-06-17 21:39:51 +00:00
if ( ret ) {
2004-06-18 23:15:42 +00:00
DEBUG ( 1 , ( " ads_keytab_flush: krb5_kt_remove_entry failed (%s) \n " , error_message ( ret ) ) ) ;
2004-06-17 21:39:51 +00:00
goto out ;
}
ret = krb5_kt_start_seq_get ( context , keytab , & cursor ) ;
if ( ret ) {
2004-06-18 23:15:42 +00:00
DEBUG ( 1 , ( " ads_keytab_flush: krb5_kt_start_seq failed (%s) \n " , error_message ( ret ) ) ) ;
2004-06-17 21:39:51 +00:00
goto out ;
}
2004-06-24 05:56:44 +00:00
ret = smb_krb5_kt_free_entry ( context , & kt_entry ) ;
2004-06-18 23:15:42 +00:00
ZERO_STRUCT ( kt_entry ) ;
2004-06-17 21:39:51 +00:00
if ( ret ) {
2004-06-18 23:15:42 +00:00
DEBUG ( 1 , ( " ads_keytab_flush: krb5_kt_remove_entry failed (%s) \n " , error_message ( ret ) ) ) ;
2004-06-17 21:39:51 +00:00
goto out ;
}
}
}
2004-06-18 23:15:42 +00:00
/* Ensure we don't double free. */
ZERO_STRUCT ( kt_entry ) ;
2004-06-24 19:48:52 +00:00
ZERO_STRUCT ( cursor ) ;
2004-06-18 23:15:42 +00:00
2004-06-22 00:48:59 +00:00
if ( ! ADS_ERR_OK ( ads_clear_service_principal_names ( ads , global_myname ( ) ) ) ) {
2004-06-18 23:15:42 +00:00
DEBUG ( 1 , ( " ads_keytab_flush: Error while clearing service principal listings in LDAP. \n " ) ) ;
2004-06-17 21:39:51 +00:00
goto out ;
}
out :
2004-06-18 02:07:42 +00:00
{
krb5_keytab_entry zero_kt_entry ;
ZERO_STRUCT ( zero_kt_entry ) ;
if ( memcmp ( & zero_kt_entry , & kt_entry , sizeof ( krb5_keytab_entry ) ) ) {
2004-06-24 05:56:44 +00:00
smb_krb5_kt_free_entry ( context , & kt_entry ) ;
2004-06-18 02:07:42 +00:00
}
}
2004-06-24 19:48:52 +00:00
{
krb5_kt_cursor zero_csr ;
ZERO_STRUCT ( zero_csr ) ;
if ( ( memcmp ( & cursor , & zero_csr , sizeof ( krb5_kt_cursor ) ) ! = 0 ) & & keytab ) {
krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
}
2004-06-18 02:07:42 +00:00
}
if ( keytab ) {
krb5_kt_close ( context , keytab ) ;
}
if ( context ) {
krb5_free_context ( context ) ;
}
2004-06-17 21:39:51 +00:00
return ret ;
}
2004-06-18 23:15:42 +00:00
/**********************************************************************
Adds all the required service principals to the system keytab .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-06-17 21:39:51 +00:00
int ads_keytab_create_default ( ADS_STRUCT * ads )
{
2004-06-18 23:15:42 +00:00
krb5_error_code ret = 0 ;
krb5_context context = NULL ;
krb5_keytab keytab = NULL ;
2004-06-24 19:48:52 +00:00
krb5_kt_cursor cursor ;
2004-06-18 23:15:42 +00:00
krb5_keytab_entry kt_entry ;
2004-06-17 21:39:51 +00:00
krb5_kvno kvno ;
int i , found = 0 ;
2006-07-11 18:45:22 +00:00
char * sam_account_name , * upn ;
2005-03-11 20:59:16 +00:00
char * * oldEntries = NULL , * princ_s [ 26 ] ;
2006-07-11 18:45:22 +00:00
TALLOC_CTX * ctx = NULL ;
fstring machine_name ;
2005-03-11 20:59:16 +00:00
memset ( princ_s , ' \0 ' , sizeof ( princ_s ) ) ;
2004-06-17 21:39:51 +00:00
2006-07-11 18:45:22 +00:00
fstrcpy ( machine_name , global_myname ( ) ) ;
/* these are the main ones we need */
if ( ( ret = ads_keytab_add_entry ( ads , " host " ) ) ! = 0 ) {
2004-06-18 23:15:42 +00:00
DEBUG ( 1 , ( " ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'. \n " ) ) ;
2004-06-17 21:39:51 +00:00
return ret ;
}
2006-07-11 18:45:22 +00:00
#if 0 /* don't create the CIFS/... keytab entries since no one except smbd
really needs them and we will fall back to verifying against secrets . tdb */
if ( ( ret = ads_keytab_add_entry ( ads , " cifs " ) ) ! = 0 ) {
2004-06-18 23:15:42 +00:00
DEBUG ( 1 , ( " ads_keytab_create_default: ads_keytab_add_entry failed while adding 'cifs'. \n " ) ) ;
2004-06-17 21:39:51 +00:00
return ret ;
}
2006-07-11 18:45:22 +00:00
# endif
2004-06-17 21:39:51 +00:00
2006-07-11 18:45:22 +00:00
if ( ( ctx = talloc_init ( " ads_keytab_create_default " ) ) = = NULL ) {
DEBUG ( 0 , ( " ads_keytab_create_default: talloc() failed! \n " ) ) ;
return - 1 ;
}
/* now add the userPrincipalName and sAMAccountName entries */
2007-01-02 21:29:09 +00:00
2006-07-11 18:45:22 +00:00
if ( ( sam_account_name = ads_get_samaccountname ( ads , ctx , machine_name ) ) = = NULL ) {
DEBUG ( 0 , ( " ads_keytab_add_entry: unable to determine machine account's name in AD! \n " ) ) ;
TALLOC_FREE ( ctx ) ;
return - 1 ;
}
2007-01-02 21:29:09 +00:00
/* upper case the sAMAccountName to make it easier for apps to
know what case to use in the keytab file */
strupper_m ( sam_account_name ) ;
2006-07-11 18:45:22 +00:00
if ( ( ret = ads_keytab_add_entry ( ads , sam_account_name ) ) ! = 0 ) {
DEBUG ( 1 , ( " ads_keytab_create_default: ads_keytab_add_entry failed while adding sAMAccountName (%s) \n " ,
sam_account_name ) ) ;
return ret ;
}
/* remember that not every machine account will have a upn */
upn = ads_get_upn ( ads , ctx , machine_name ) ;
if ( upn ) {
if ( ( ret = ads_keytab_add_entry ( ads , upn ) ) ! = 0 ) {
DEBUG ( 1 , ( " ads_keytab_create_default: ads_keytab_add_entry failed while adding UPN (%s) \n " ,
upn ) ) ;
TALLOC_FREE ( ctx ) ;
return ret ;
2004-10-30 00:34:58 +00:00
}
}
2006-07-11 18:45:22 +00:00
/* Now loop through the keytab and update any other existing entries... */
2008-06-17 16:20:29 +02:00
kvno = ( krb5_kvno ) ads_get_machine_kvno ( ads , machine_name ) ;
2004-06-17 21:39:51 +00:00
if ( kvno = = - 1 ) {
2008-06-17 16:20:29 +02:00
DEBUG ( 1 , ( " ads_keytab_create_default: ads_get_machine_kvno failed to determine the system's kvno. \n " ) ) ;
2009-03-18 16:23:27 +11:00
TALLOC_FREE ( ctx ) ;
2004-06-17 21:39:51 +00:00
return - 1 ;
}
2006-07-11 18:45:22 +00:00
DEBUG ( 3 , ( " ads_keytab_create_default: Searching for keytab entries to "
" preserve and update. \n " ) ) ;
2004-06-18 23:15:42 +00:00
ZERO_STRUCT ( kt_entry ) ;
2004-06-24 19:48:52 +00:00
ZERO_STRUCT ( cursor ) ;
2004-06-18 23:15:42 +00:00
2004-06-17 21:39:51 +00:00
initialize_krb5_error_table ( ) ;
ret = krb5_init_context ( & context ) ;
if ( ret ) {
2004-06-18 23:15:42 +00:00
DEBUG ( 1 , ( " ads_keytab_create_default: could not krb5_init_context: %s \n " , error_message ( ret ) ) ) ;
2009-03-18 16:23:27 +11:00
TALLOC_FREE ( ctx ) ;
2004-06-17 21:39:51 +00:00
return ret ;
}
2007-06-29 09:54:39 +00:00
ret = smb_krb5_open_keytab ( context , NULL , True , & keytab ) ;
2004-06-17 21:39:51 +00:00
if ( ret ) {
2007-06-29 09:54:39 +00:00
DEBUG ( 1 , ( " ads_keytab_create_default: smb_krb5_open_keytab failed (%s) \n " , error_message ( ret ) ) ) ;
2007-06-29 09:58:11 +00:00
goto done ;
2004-06-17 21:39:51 +00:00
}
ret = krb5_kt_start_seq_get ( context , keytab , & cursor ) ;
if ( ret ! = KRB5_KT_END & & ret ! = ENOENT ) {
2004-06-18 23:15:42 +00:00
while ( ( ret = krb5_kt_next_entry ( context , keytab , & kt_entry , & cursor ) ) = = 0 ) {
2004-06-24 05:56:44 +00:00
smb_krb5_kt_free_entry ( context , & kt_entry ) ;
2004-06-18 23:15:42 +00:00
ZERO_STRUCT ( kt_entry ) ;
2004-06-17 21:39:51 +00:00
found + + ;
}
}
2004-06-18 23:15:42 +00:00
krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
2004-06-24 19:48:52 +00:00
ZERO_STRUCT ( cursor ) ;
2004-06-17 21:39:51 +00:00
2004-06-18 23:15:42 +00:00
/*
* Hmmm . There is no " rewind " function for the keytab . This means we have a race condition
* where someone else could add entries after we ' ve counted them . Re - open asap to minimise
* the race . JRA .
*/
DEBUG ( 3 , ( " ads_keytab_create_default: Found %d entries in the keytab. \n " , found ) ) ;
2004-06-17 21:39:51 +00:00
if ( ! found ) {
goto done ;
}
2009-03-18 16:23:27 +11:00
oldEntries = talloc_array ( ctx , char * , found ) ;
2004-06-17 21:39:51 +00:00
if ( ! oldEntries ) {
2004-06-18 23:15:42 +00:00
DEBUG ( 1 , ( " ads_keytab_create_default: Failed to allocate space to store the old keytab entries (malloc failed?). \n " ) ) ;
ret = - 1 ;
goto done ;
2004-06-17 21:39:51 +00:00
}
2004-06-18 23:15:42 +00:00
memset ( oldEntries , ' \0 ' , found * sizeof ( char * ) ) ;
2004-06-17 21:39:51 +00:00
ret = krb5_kt_start_seq_get ( context , keytab , & cursor ) ;
if ( ret ! = KRB5_KT_END & & ret ! = ENOENT ) {
2004-07-06 23:42:58 +00:00
while ( krb5_kt_next_entry ( context , keytab , & kt_entry , & cursor ) = = 0 ) {
2004-06-18 23:15:42 +00:00
if ( kt_entry . vno ! = kvno ) {
2004-06-19 00:54:54 +00:00
char * ktprinc = NULL ;
2004-06-18 23:15:42 +00:00
char * p ;
/* This returns a malloc'ed string in ktprinc. */
2009-03-18 16:23:27 +11:00
ret = smb_krb5_unparse_name ( oldEntries , context , kt_entry . principal , & ktprinc ) ;
2004-06-18 23:15:42 +00:00
if ( ret ) {
2006-04-24 15:57:54 +00:00
DEBUG ( 1 , ( " smb_krb5_unparse_name failed (%s) \n " , error_message ( ret ) ) ) ;
2004-06-21 19:10:25 +00:00
goto done ;
2004-06-18 23:15:42 +00:00
}
/*
* From looking at the krb5 source they don ' t seem to take locale
* or mb strings into account . Maybe this is because they assume utf8 ?
* In this case we may need to convert from utf8 to mb charset here ? JRA .
*/
2004-10-30 00:34:58 +00:00
p = strchr_m ( ktprinc , ' @ ' ) ;
if ( p ) {
* p = ' \0 ' ;
}
2004-06-18 23:15:42 +00:00
p = strchr_m ( ktprinc , ' / ' ) ;
if ( p ) {
* p = ' \0 ' ;
2004-06-17 21:39:51 +00:00
}
for ( i = 0 ; i < found ; i + + ) {
if ( ! oldEntries [ i ] ) {
oldEntries [ i ] = ktprinc ;
break ;
}
if ( ! strcmp ( oldEntries [ i ] , ktprinc ) ) {
2009-03-18 16:23:27 +11:00
TALLOC_FREE ( ktprinc ) ;
2004-06-17 21:39:51 +00:00
break ;
}
}
2004-06-23 00:20:31 +00:00
if ( i = = found ) {
2009-03-18 16:23:27 +11:00
TALLOC_FREE ( ktprinc ) ;
2004-06-23 00:20:31 +00:00
}
2004-06-17 21:39:51 +00:00
}
2004-06-24 05:56:44 +00:00
smb_krb5_kt_free_entry ( context , & kt_entry ) ;
2004-06-18 23:15:42 +00:00
ZERO_STRUCT ( kt_entry ) ;
2004-06-17 21:39:51 +00:00
}
2004-07-06 23:42:58 +00:00
ret = 0 ;
2004-06-17 21:39:51 +00:00
for ( i = 0 ; oldEntries [ i ] ; i + + ) {
2004-06-22 00:48:59 +00:00
ret | = ads_keytab_add_entry ( ads , oldEntries [ i ] ) ;
2009-03-18 16:23:27 +11:00
TALLOC_FREE ( oldEntries [ i ] ) ;
2004-06-17 21:39:51 +00:00
}
2004-06-18 23:15:42 +00:00
krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
2004-06-17 21:39:51 +00:00
}
2004-06-24 19:48:52 +00:00
ZERO_STRUCT ( cursor ) ;
2004-06-17 21:39:51 +00:00
done :
2009-03-18 16:23:27 +11:00
TALLOC_FREE ( oldEntries ) ;
TALLOC_FREE ( ctx ) ;
2004-06-18 23:15:42 +00:00
{
krb5_keytab_entry zero_kt_entry ;
ZERO_STRUCT ( zero_kt_entry ) ;
if ( memcmp ( & zero_kt_entry , & kt_entry , sizeof ( krb5_keytab_entry ) ) ) {
2004-06-24 05:56:44 +00:00
smb_krb5_kt_free_entry ( context , & kt_entry ) ;
2004-06-18 23:15:42 +00:00
}
}
2004-06-24 19:48:52 +00:00
{
krb5_kt_cursor zero_csr ;
ZERO_STRUCT ( zero_csr ) ;
if ( ( memcmp ( & cursor , & zero_csr , sizeof ( krb5_kt_cursor ) ) ! = 0 ) & & keytab ) {
krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
}
2004-06-18 23:15:42 +00:00
}
if ( keytab ) {
krb5_kt_close ( context , keytab ) ;
}
if ( context ) {
krb5_free_context ( context ) ;
}
2004-06-17 21:39:51 +00:00
return ret ;
}
2007-04-23 08:40:54 +00:00
/**********************************************************************
List system keytab .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-06-29 09:01:29 +00:00
int ads_keytab_list ( const char * keytab_name )
2007-04-23 08:40:54 +00:00
{
krb5_error_code ret = 0 ;
krb5_context context = NULL ;
krb5_keytab keytab = NULL ;
krb5_kt_cursor cursor ;
krb5_keytab_entry kt_entry ;
ZERO_STRUCT ( kt_entry ) ;
ZERO_STRUCT ( cursor ) ;
initialize_krb5_error_table ( ) ;
ret = krb5_init_context ( & context ) ;
if ( ret ) {
DEBUG ( 1 , ( " ads_keytab_list: could not krb5_init_context: %s \n " , error_message ( ret ) ) ) ;
return ret ;
}
2007-06-29 08:56:35 +00:00
2007-06-29 09:01:29 +00:00
ret = smb_krb5_open_keytab ( context , keytab_name , False , & keytab ) ;
2007-04-23 08:40:54 +00:00
if ( ret ) {
2007-06-29 08:56:35 +00:00
DEBUG ( 1 , ( " ads_keytab_list: smb_krb5_open_keytab failed (%s) \n " , error_message ( ret ) ) ) ;
2007-04-23 08:40:54 +00:00
goto out ;
}
ret = krb5_kt_start_seq_get ( context , keytab , & cursor ) ;
if ( ret ) {
goto out ;
}
printf ( " Vno Type Principal \n " ) ;
while ( krb5_kt_next_entry ( context , keytab , & kt_entry , & cursor ) = = 0 ) {
char * princ_s = NULL ;
char * etype_s = NULL ;
krb5_enctype enctype = 0 ;
2009-03-18 16:23:27 +11:00
ret = smb_krb5_unparse_name ( talloc_tos ( ) , context , kt_entry . principal , & princ_s ) ;
2007-04-23 08:40:54 +00:00
if ( ret ) {
goto out ;
}
enctype = smb_get_enctype_from_kt_entry ( & kt_entry ) ;
ret = smb_krb5_enctype_to_string ( context , enctype , & etype_s ) ;
if ( ret ) {
2008-12-02 12:57:02 +01:00
if ( asprintf ( & etype_s , " UNKNOWN: %d \n " , enctype ) = = - 1 )
{
2009-03-18 16:23:27 +11:00
TALLOC_FREE ( princ_s ) ;
2008-12-02 12:57:02 +01:00
goto out ;
}
2007-04-23 08:40:54 +00:00
}
printf ( " %3d %s \t \t %s \n " , kt_entry . vno , etype_s , princ_s ) ;
2009-03-18 16:23:27 +11:00
TALLOC_FREE ( princ_s ) ;
2007-04-23 08:40:54 +00:00
SAFE_FREE ( etype_s ) ;
ret = smb_krb5_kt_free_entry ( context , & kt_entry ) ;
if ( ret ) {
goto out ;
}
}
ret = krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
if ( ret ) {
goto out ;
}
/* Ensure we don't double free. */
ZERO_STRUCT ( kt_entry ) ;
ZERO_STRUCT ( cursor ) ;
out :
{
krb5_keytab_entry zero_kt_entry ;
ZERO_STRUCT ( zero_kt_entry ) ;
if ( memcmp ( & zero_kt_entry , & kt_entry , sizeof ( krb5_keytab_entry ) ) ) {
smb_krb5_kt_free_entry ( context , & kt_entry ) ;
}
}
{
krb5_kt_cursor zero_csr ;
ZERO_STRUCT ( zero_csr ) ;
if ( ( memcmp ( & cursor , & zero_csr , sizeof ( krb5_kt_cursor ) ) ! = 0 ) & & keytab ) {
krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
}
}
if ( keytab ) {
krb5_kt_close ( context , keytab ) ;
}
if ( context ) {
krb5_free_context ( context ) ;
}
return ret ;
}
2004-06-17 21:39:51 +00:00
# endif /* HAVE_KRB5 */