sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Code
714862defd
samba-mirror/source4/libnet/libnet_export_keytab.c

83 lines
2.4 KiB
C
Raw Normal View History

s4-libnet: split export_keytab in a separate python module to avoid pulling in HDB dependency Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Thu Apr 12 15:23:19 CEST 2012 on sn-devel-104
2012-04-10 13:09:20 +04:00
/*
Unix SMB/CIFS implementation.
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2009
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
s4:kerberos Add 'net export keytab' command for wireshark decryption It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
2009-07-27 16:04:26 +04:00
#include "includes.h"
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
#include <hdb.h>
s4:kdc move db functions in their own file Keep all heimdal related plugin code within hdb_samba4.c Move interfaces needed by multiple plugins in db-glue.c Move sequence context in main db context so that we do not depend on db->hdb_dbc in the common code. Remove unnecessary paremeters from function prototypes
2010-01-28 09:27:11 +03:00
#include "kdc/samba_kdc.h"
s4-libnet: split export_keytab in a separate python module to avoid pulling in HDB dependency Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Thu Apr 12 15:23:19 CEST 2012 on sn-devel-104
2012-04-10 13:09:20 +04:00
#include "libnet/libnet_export_keytab.h"
s4:kerberos Add 'net export keytab' command for wireshark decryption It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
2009-07-27 16:04:26 +04:00
NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_export_keytab *r)
{
krb5_error_code ret;
struct smb_krb5_context *smb_krb5_context;
const char *from_keytab;
/* Register hdb-samba4 hooks for use as a keytab */
s4:kdc Use better db context structure This allows to use a common structure not tied to hdb_samba4 Also allows to avoid many casts within hdb_samba4 functions This is the first step to abstract samba kdc databse functions so they can be used by the MIT forthcoming plugin.
2010-01-28 08:08:36 +03:00
struct samba_kdc_base_context *base_ctx = talloc_zero(mem_ctx, struct samba_kdc_base_context);
if (!base_ctx) {
s4:kerberos Add 'net export keytab' command for wireshark decryption It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
2009-07-27 16:04:26 +04:00
return NT_STATUS_NO_MEMORY;
}
s4:kdc Use better db context structure This allows to use a common structure not tied to hdb_samba4 Also allows to avoid many casts within hdb_samba4 functions This is the first step to abstract samba kdc databse functions so they can be used by the MIT forthcoming plugin.
2010-01-28 08:08:36 +03:00
base_ctx->ev_ctx = ctx->event_ctx;
base_ctx->lp_ctx = ctx->lp_ctx;
s4:kerberos Add 'net export keytab' command for wireshark decryption It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
2009-07-27 16:04:26 +04:00
s4:kdc Use better db context structure This allows to use a common structure not tied to hdb_samba4 Also allows to avoid many casts within hdb_samba4 functions This is the first step to abstract samba kdc databse functions so they can be used by the MIT forthcoming plugin.
2010-01-28 08:08:36 +03:00
from_keytab = talloc_asprintf(base_ctx, "HDB:samba4&%p", base_ctx);
s4:kerberos Add 'net export keytab' command for wireshark decryption It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
2009-07-27 16:04:26 +04:00
if (!from_keytab) {
return NT_STATUS_NO_MEMORY;
}
kerberos: Remove un-used event context argument from smb_krb5_init_context() The event context here was only specified in the server or admin-tool context, which does not do network communication, so this only caused a talloc_reference() and never any useful result. The actual network communication code sets an event context directly before making the network call. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
2014-04-17 14:35:33 +04:00
ret = smb_krb5_init_context(ctx, ctx->lp_ctx, &smb_krb5_context);
s4:kerberos Add 'net export keytab' command for wireshark decryption It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
2009-07-27 16:04:26 +04:00
if (ret) {
return NT_STATUS_NO_MEMORY;
}
ret = krb5_plugin_register(smb_krb5_context->krb5_context,
PLUGIN_TYPE_DATA, "hdb",
s4-kdc: Add hdb plugin for samba4, to allow kadmin to work This will help users who are used to the kadmin interface, and could be extended to import existing MIT or Heimdal keys into a Samba4 AD domain. To use, add to your krb5.conf [kdc] database = { dbname = samba4: } or [kdc] database = { dbname = samba4:/usr/local/samba/etc/smb.conf } And copy hdb_samba4.so from PREFIX/modules/hdb to your Heimdal lib directory Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Nov 30 03:22:11 CET 2011 on sn-devel-104
2011-11-30 00:45:25 +04:00
&hdb_samba4_interface);
s4:kerberos Add 'net export keytab' command for wireshark decryption It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
2009-07-27 16:04:26 +04:00
if(ret) {
return NT_STATUS_NO_MEMORY;
}
ret = krb5_kt_register(smb_krb5_context->krb5_context, &hdb_kt_ops);
if(ret) {
return NT_STATUS_NO_MEMORY;
}
s4-samba-tool: Add --principal argument to samba-tool domain exportkeytab This allows only a particular principal to be exported to the keytab. This is useful when setting up unix servers in a Samba controlled domain. Based on a request by Gémes Géza <geza@kzsdabas.hu> Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Nov 29 09:20:55 CET 2011 on sn-devel-104
2011-11-29 05:47:40 +04:00
if (r->in.principal) {
s4-libnet: Fix passing samba_all_enctypes as a fn rather than the encrypt array it returns Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Aug 29 09:56:27 CEST 2012 on sn-devel-104
2012-08-29 10:22:24 +04:00
ret = kt_copy_one_principal(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name, r->in.principal, 0, samba_all_enctypes());
s4-samba-tool: Add --principal argument to samba-tool domain exportkeytab This allows only a particular principal to be exported to the keytab. This is useful when setting up unix servers in a Samba controlled domain. Based on a request by Gémes Géza <geza@kzsdabas.hu> Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Nov 29 09:20:55 CET 2011 on sn-devel-104
2011-11-29 05:47:40 +04:00
} else {
unlink(r->in.keytab_name);
ret = kt_copy(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name);
}
s4-libnet: wipe the old keytab when exporting this prevents confusion with old keytab entries Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-30 23:43:14 +04:00
s4:kerberos Add 'net export keytab' command for wireshark decryption It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
2009-07-27 16:04:26 +04:00
if(ret) {
r->out.error_string = smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx);
s4-samba-tool: Add --principal argument to samba-tool domain exportkeytab This allows only a particular principal to be exported to the keytab. This is useful when setting up unix servers in a Samba controlled domain. Based on a request by Gémes Géza <geza@kzsdabas.hu> Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Nov 29 09:20:55 CET 2011 on sn-devel-104
2011-11-29 05:47:40 +04:00
if (ret == KRB5_KT_NOTFOUND) {
return NT_STATUS_NO_SUCH_USER;
} else {
return NT_STATUS_UNSUCCESSFUL;
}
s4:kerberos Add 'net export keytab' command for wireshark decryption It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
2009-07-27 16:04:26 +04:00
}
return NT_STATUS_OK;
}
Copy Permalink