2004-06-17 21:39:51 +00:00
/*
Unix SMB / CIFS implementation .
kerberos keytab utility library
Copyright ( C ) Andrew Tridgell 2001
Copyright ( C ) Remus Koos 2001
Copyright ( C ) Luke Howard 2003
Copyright ( C ) Jim McDonough ( jmcd @ us . ibm . com ) 2003
2007-06-29 09:42:14 +00:00
Copyright ( C ) Guenther Deschner 2003
2004-06-17 21:39:51 +00:00
Copyright ( C ) Rakesh Patel 2004
Copyright ( C ) Dan Perry 2004
2004-06-17 23:07:20 +00:00
Copyright ( C ) Jeremy Allison 2004
2006-07-11 18:45:22 +00:00
Copyright ( C ) Gerald Carter 2006
2004-06-17 21:39:51 +00:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
the Free Software Foundation ; either version 3 of the License , or
2004-06-17 21:39:51 +00:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 00:52:41 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2004-06-17 21:39:51 +00:00
*/
# include "includes.h"
2009-11-27 15:52:57 +01:00
# include "smb_krb5.h"
2010-07-02 00:32:52 +02:00
# include "ads.h"
2010-08-05 02:25:37 +02:00
# include "secrets.h"
2004-06-17 21:39:51 +00:00
# ifdef HAVE_KRB5
2011-04-15 12:37:55 +02:00
# ifdef HAVE_ADS
2017-03-13 16:24:52 +01:00
/* This MAX_NAME_LEN is a constant defined in krb5.h */
# ifndef MAX_KEYTAB_NAME_LEN
# define MAX_KEYTAB_NAME_LEN 1100
# endif
static krb5_error_code ads_keytab_open ( krb5_context context ,
krb5_keytab * keytab )
{
char keytab_str [ MAX_KEYTAB_NAME_LEN ] = { 0 } ;
const char * keytab_name = NULL ;
krb5_error_code ret = 0 ;
switch ( lp_kerberos_method ( ) ) {
case KERBEROS_VERIFY_SYSTEM_KEYTAB :
case KERBEROS_VERIFY_SECRETS_AND_KEYTAB :
ret = krb5_kt_default_name ( context ,
keytab_str ,
sizeof ( keytab_str ) - 2 ) ;
if ( ret ! = 0 ) {
DBG_WARNING ( " Failed to get default keytab name " ) ;
goto out ;
}
keytab_name = keytab_str ;
break ;
case KERBEROS_VERIFY_DEDICATED_KEYTAB :
keytab_name = lp_dedicated_keytab_file ( ) ;
break ;
default :
DBG_ERR ( " Invalid kerberos method set (%d) \n " ,
lp_kerberos_method ( ) ) ;
ret = KRB5_KT_BADNAME ;
goto out ;
}
if ( keytab_name = = NULL | | keytab_name [ 0 ] = = ' \0 ' ) {
DBG_ERR ( " Invalid keytab name \n " ) ;
ret = KRB5_KT_BADNAME ;
goto out ;
}
ret = smb_krb5_kt_open ( context , keytab_name , true , keytab ) ;
if ( ret ! = 0 ) {
DBG_WARNING ( " smb_krb5_kt_open failed (%s) \n " ,
error_message ( ret ) ) ;
goto out ;
}
out :
return ret ;
}
2018-02-16 16:52:01 +00:00
static bool fill_default_spns ( TALLOC_CTX * ctx , const char * machine_name ,
const char * my_fqdn , const char * spn ,
const char * * * spns )
{
char * psp1 , * psp2 ;
if ( * spns = = NULL ) {
* spns = talloc_zero_array ( ctx , const char * , 3 ) ;
2018-03-27 17:00:46 -05:00
if ( * spns = = NULL ) {
2018-02-16 16:52:01 +00:00
return false ;
}
}
psp1 = talloc_asprintf ( ctx ,
" %s/%s " ,
spn ,
machine_name ) ;
if ( psp1 = = NULL ) {
return false ;
}
if ( ! strlower_m ( & psp1 [ strlen ( spn ) + 1 ] ) ) {
return false ;
}
( * spns ) [ 0 ] = psp1 ;
psp2 = talloc_asprintf ( ctx ,
" %s/%s " ,
spn ,
my_fqdn ) ;
if ( psp2 = = NULL ) {
return false ;
}
if ( ! strlower_m ( & psp2 [ strlen ( spn ) + 1 ] ) ) {
return false ;
}
( * spns ) [ 1 ] = psp2 ;
return true ;
}
static bool ads_set_machine_account_spns ( TALLOC_CTX * ctx ,
ADS_STRUCT * ads ,
const char * service_or_spn ,
const char * my_fqdn )
{
const char * * spn_names = NULL ;
ADS_STATUS aderr ;
2018-01-29 18:38:05 +00:00
struct spn_struct * spn_struct = NULL ;
char * tmp = NULL ;
/* SPN should have '/' */
tmp = strchr_m ( service_or_spn , ' / ' ) ;
if ( tmp ! = NULL ) {
spn_struct = parse_spn ( ctx , service_or_spn ) ;
if ( spn_struct = = NULL ) {
return false ;
}
}
2018-02-16 16:52:01 +00:00
DBG_INFO ( " Attempting to add/update '%s' \n " , service_or_spn ) ;
2018-01-29 18:38:05 +00:00
if ( spn_struct ! = NULL ) {
spn_names = talloc_zero_array ( ctx , const char * , 2 ) ;
spn_names [ 0 ] = service_or_spn ;
} else {
bool ok ;
ok = fill_default_spns ( ctx ,
lp_netbios_name ( ) ,
my_fqdn ,
service_or_spn ,
& spn_names ) ;
if ( ! ok ) {
return false ;
}
2018-02-16 16:52:01 +00:00
}
aderr = ads_add_service_principal_names ( ads ,
lp_netbios_name ( ) ,
spn_names ) ;
if ( ! ADS_ERR_OK ( aderr ) ) {
DBG_WARNING ( " Failed to add service principal name. \n " ) ;
return false ;
}
return true ;
}
2018-01-29 18:30:33 +00:00
/*
* Create kerberos principal ( s ) from SPN or service name .
*/
static bool service_or_spn_to_kerberos_princ ( TALLOC_CTX * ctx ,
const char * service_or_spn ,
const char * my_fqdn ,
char * * p_princ_s ,
char * * p_short_princ_s )
{
char * princ_s = NULL ;
char * short_princ_s = NULL ;
const char * service = service_or_spn ;
const char * host = my_fqdn ;
struct spn_struct * spn_struct = NULL ;
char * tmp = NULL ;
bool ok = true ;
/* SPN should have '/' */
tmp = strchr_m ( service_or_spn , ' / ' ) ;
if ( tmp ! = NULL ) {
spn_struct = parse_spn ( ctx , service_or_spn ) ;
if ( spn_struct = = NULL ) {
ok = false ;
goto out ;
}
}
if ( spn_struct ! = NULL ) {
service = spn_struct - > serviceclass ;
host = spn_struct - > host ;
}
princ_s = talloc_asprintf ( ctx , " %s/%s@%s " ,
service ,
host , lp_realm ( ) ) ;
if ( princ_s = = NULL ) {
ok = false ;
goto out ;
}
if ( spn_struct = = NULL ) {
short_princ_s = talloc_asprintf ( ctx , " %s/%s@%s " ,
service , lp_netbios_name ( ) ,
lp_realm ( ) ) ;
if ( short_princ_s = = NULL ) {
ok = false ;
goto out ;
}
}
* p_princ_s = princ_s ;
* p_short_princ_s = short_princ_s ;
out :
return ok ;
}
2006-07-11 18:45:22 +00:00
/**********************************************************************
Adds a single service principal , i . e . ' host ' to the system keytab
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2018-02-08 17:33:08 +00:00
int ads_keytab_add_entry ( ADS_STRUCT * ads , const char * srvPrinc , bool update_ads )
2006-07-11 18:45:22 +00:00
{
krb5_error_code ret = 0 ;
krb5_context context = NULL ;
krb5_keytab keytab = NULL ;
krb5_data password ;
krb5_kvno kvno ;
2011-12-15 18:12:41 +01:00
krb5_enctype enctypes [ 6 ] = {
2010-08-18 04:33:32 -04:00
ENCTYPE_DES_CBC_CRC ,
ENCTYPE_DES_CBC_MD5 ,
2011-12-15 18:12:41 +01:00
# ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
ENCTYPE_AES128_CTS_HMAC_SHA1_96 ,
# endif
# ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
ENCTYPE_AES256_CTS_HMAC_SHA1_96 ,
# endif
2010-08-18 04:33:32 -04:00
ENCTYPE_ARCFOUR_HMAC ,
0
} ;
char * princ_s = NULL ;
char * short_princ_s = NULL ;
2016-02-29 16:21:56 +01:00
char * salt_princ_s = NULL ;
2006-07-11 18:45:22 +00:00
char * password_s = NULL ;
char * my_fqdn ;
2010-08-18 04:33:32 -04:00
TALLOC_CTX * tmpctx = NULL ;
2016-02-29 16:21:56 +01:00
int i ;
2006-07-11 18:45:22 +00:00
2018-12-05 11:16:42 +01:00
ret = smb_krb5_init_context_common ( & context ) ;
2006-07-11 18:45:22 +00:00
if ( ret ) {
2018-12-05 11:16:42 +01:00
DBG_ERR ( " kerberos init context failed (%s) \n " ,
error_message ( ret ) ) ;
2006-07-11 18:45:22 +00:00
return - 1 ;
}
2007-06-29 08:56:35 +00:00
2017-03-13 16:24:52 +01:00
ret = ads_keytab_open ( context , & keytab ) ;
if ( ret ! = 0 ) {
2006-07-11 18:45:22 +00:00
goto out ;
}
/* retrieve the password */
if ( ! secrets_init ( ) ) {
2010-08-18 04:33:32 -04:00
DEBUG ( 1 , ( __location__ " : secrets_init failed \n " ) ) ;
2006-07-11 18:45:22 +00:00
ret = - 1 ;
goto out ;
}
password_s = secrets_fetch_machine_password ( lp_workgroup ( ) , NULL , NULL ) ;
if ( ! password_s ) {
2010-08-18 04:33:32 -04:00
DEBUG ( 1 , ( __location__ " : failed to fetch machine password \n " ) ) ;
2006-07-11 18:45:22 +00:00
ret = - 1 ;
goto out ;
}
2008-07-30 16:06:30 -07:00
ZERO_STRUCT ( password ) ;
2006-07-11 18:45:22 +00:00
password . data = password_s ;
password . length = strlen ( password_s ) ;
/* we need the dNSHostName value here */
2010-08-18 04:33:32 -04:00
tmpctx = talloc_init ( __location__ ) ;
if ( ! tmpctx ) {
DEBUG ( 0 , ( __location__ " : talloc_init() failed! \n " ) ) ;
2006-07-11 18:45:22 +00:00
ret = - 1 ;
goto out ;
}
2010-08-18 04:33:32 -04:00
2011-06-09 15:31:03 +10:00
my_fqdn = ads_get_dnshostname ( ads , tmpctx , lp_netbios_name ( ) ) ;
2010-08-18 04:33:32 -04:00
if ( ! my_fqdn ) {
DEBUG ( 0 , ( __location__ " : unable to determine machine "
" account's dns name in AD! \n " ) ) ;
2006-07-11 18:45:22 +00:00
ret = - 1 ;
2010-08-18 04:33:32 -04:00
goto out ;
2006-07-11 18:45:22 +00:00
}
2010-08-18 04:33:32 -04:00
2018-01-12 14:22:34 +00:00
/* make sure we have a single instance of a the computer account */
if ( ! ads_has_samaccountname ( ads , tmpctx , lp_netbios_name ( ) ) ) {
2010-08-18 04:33:32 -04:00
DEBUG ( 0 , ( __location__ " : unable to determine machine "
" account's short name in AD! \n " ) ) ;
2006-07-11 18:45:22 +00:00
ret = - 1 ;
2010-08-18 04:33:32 -04:00
goto out ;
2006-07-11 18:45:22 +00:00
}
2010-08-18 04:33:32 -04:00
/* Construct our principal */
2006-07-11 18:45:22 +00:00
if ( strchr_m ( srvPrinc , ' @ ' ) ) {
/* It's a fully-named principal. */
2010-08-18 04:33:32 -04:00
princ_s = talloc_asprintf ( tmpctx , " %s " , srvPrinc ) ;
if ( ! princ_s ) {
2008-12-23 11:56:48 -08:00
ret = - 1 ;
goto out ;
}
2006-07-11 18:45:22 +00:00
} else if ( srvPrinc [ strlen ( srvPrinc ) - 1 ] = = ' $ ' ) {
/* It's the machine account, as used by smbclient clients. */
2010-08-18 04:33:32 -04:00
princ_s = talloc_asprintf ( tmpctx , " %s@%s " ,
srvPrinc , lp_realm ( ) ) ;
if ( ! princ_s ) {
2008-12-23 11:56:48 -08:00
ret = - 1 ;
goto out ;
}
2006-07-11 18:45:22 +00:00
} else {
/* It's a normal service principal. Add the SPN now so that we
* can obtain credentials for it and double - check the salt value
* used to generate the service ' s keys . */
2010-08-18 04:33:32 -04:00
2018-01-29 18:30:33 +00:00
if ( ! service_or_spn_to_kerberos_princ ( tmpctx ,
srvPrinc ,
my_fqdn ,
& princ_s ,
& short_princ_s ) ) {
2008-12-23 11:56:48 -08:00
ret = - 1 ;
goto out ;
}
2010-08-18 04:33:32 -04:00
/* According to http://support.microsoft.com/kb/326985/en-us,
certain principal names are automatically mapped to the
host / . . . principal in the AD account .
So only create these in the keytab , not in AD . - - jerry */
2018-02-08 17:33:08 +00:00
if ( update_ads & & ! strequal ( srvPrinc , " cifs " ) & &
2010-08-18 04:33:32 -04:00
! strequal ( srvPrinc , " host " ) ) {
2018-02-16 16:52:01 +00:00
if ( ! ads_set_machine_account_spns ( tmpctx ,
ads ,
srvPrinc ,
my_fqdn ) ) {
ret = - 1 ;
2006-07-11 18:45:22 +00:00
goto out ;
}
}
}
2011-06-09 15:31:03 +10:00
kvno = ( krb5_kvno ) ads_get_machine_kvno ( ads , lp_netbios_name ( ) ) ;
2010-08-18 04:33:32 -04:00
if ( kvno = = - 1 ) {
/* -1 indicates failure, everything else is OK */
DEBUG ( 1 , ( __location__ " : ads_get_machine_kvno failed to "
" determine the system's kvno. \n " ) ) ;
2006-07-11 18:45:22 +00:00
ret = - 1 ;
goto out ;
}
2010-08-18 04:33:32 -04:00
2017-05-19 17:08:24 +02:00
salt_princ_s = kerberos_secrets_fetch_salt_princ ( ) ;
if ( salt_princ_s = = NULL ) {
DBG_WARNING ( " kerberos_secrets_fetch_salt_princ() failed \n " ) ;
ret = - 1 ;
goto out ;
}
2016-02-29 16:21:56 +01:00
for ( i = 0 ; enctypes [ i ] ; i + + ) {
/* add the fqdn principal to the keytab */
ret = smb_krb5_kt_add_entry ( context ,
keytab ,
kvno ,
princ_s ,
salt_princ_s ,
enctypes [ i ] ,
2016-02-29 17:22:50 +01:00
& password ,
2016-02-29 16:21:56 +01:00
false ,
false ) ;
2010-08-18 04:33:32 -04:00
if ( ret ) {
2016-02-29 16:21:56 +01:00
DEBUG ( 1 , ( __location__ " : Failed to add entry to keytab \n " ) ) ;
2006-07-11 18:45:22 +00:00
goto out ;
}
2016-02-29 16:21:56 +01:00
/* add the short principal name if we have one */
if ( short_princ_s ) {
ret = smb_krb5_kt_add_entry ( context ,
keytab ,
kvno ,
short_princ_s ,
salt_princ_s ,
enctypes [ i ] ,
2016-02-29 17:22:50 +01:00
& password ,
2016-02-29 16:21:56 +01:00
false ,
false ) ;
if ( ret ) {
DEBUG ( 1 , ( __location__
" : Failed to add short entry to keytab \n " ) ) ;
goto out ;
}
}
2006-07-11 18:45:22 +00:00
}
out :
2017-05-19 17:08:24 +02:00
SAFE_FREE ( salt_princ_s ) ;
2010-08-18 04:33:32 -04:00
TALLOC_FREE ( tmpctx ) ;
2004-06-17 23:07:20 +00:00
if ( keytab ) {
krb5_kt_close ( context , keytab ) ;
2004-06-17 21:39:51 +00:00
}
2004-06-17 23:07:20 +00:00
if ( context ) {
krb5_free_context ( context ) ;
2004-06-17 21:39:51 +00:00
}
2004-06-17 23:07:20 +00:00
return ( int ) ret ;
2004-06-17 21:39:51 +00:00
}
2004-06-18 00:24:53 +00:00
/**********************************************************************
2004-06-18 23:15:42 +00:00
Flushes all entries from the system keytab .
2004-06-18 00:24:53 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-06-17 21:39:51 +00:00
int ads_keytab_flush ( ADS_STRUCT * ads )
{
2004-06-18 02:07:42 +00:00
krb5_error_code ret = 0 ;
krb5_context context = NULL ;
krb5_keytab keytab = NULL ;
2004-06-17 21:39:51 +00:00
krb5_kvno kvno ;
2010-08-18 04:16:41 -04:00
ADS_STATUS aderr ;
2004-06-24 19:48:52 +00:00
2018-12-05 11:16:42 +01:00
ret = smb_krb5_init_context_common ( & context ) ;
2004-06-17 21:39:51 +00:00
if ( ret ) {
2018-12-05 11:16:42 +01:00
DBG_ERR ( " kerberos init context failed (%s) \n " ,
error_message ( ret ) ) ;
2004-06-17 21:39:51 +00:00
return ret ;
}
2007-06-29 08:56:35 +00:00
2017-03-13 16:24:52 +01:00
ret = ads_keytab_open ( context , & keytab ) ;
if ( ret ! = 0 ) {
2004-06-17 21:39:51 +00:00
goto out ;
}
2011-06-09 15:31:03 +10:00
kvno = ( krb5_kvno ) ads_get_machine_kvno ( ads , lp_netbios_name ( ) ) ;
2010-08-18 04:16:41 -04:00
if ( kvno = = - 1 ) {
/* -1 indicates a failure */
DEBUG ( 1 , ( __location__ " : Error determining the kvno. \n " ) ) ;
2018-11-21 10:59:31 +01:00
ret = - 1 ;
2004-06-17 21:39:51 +00:00
goto out ;
}
2010-08-18 04:16:41 -04:00
/* Seek and delete old keytab entries */
2016-02-29 17:31:56 +01:00
ret = smb_krb5_kt_seek_and_delete_old_entries ( context ,
keytab ,
kvno ,
2016-04-26 15:45:17 +02:00
ENCTYPE_NULL ,
2016-02-29 17:31:56 +01:00
NULL ,
NULL ,
true ,
false ) ;
2010-08-18 04:16:41 -04:00
if ( ret ) {
goto out ;
2004-06-17 21:39:51 +00:00
}
2004-06-18 23:15:42 +00:00
2011-06-09 15:31:03 +10:00
aderr = ads_clear_service_principal_names ( ads , lp_netbios_name ( ) ) ;
2010-08-18 04:16:41 -04:00
if ( ! ADS_ERR_OK ( aderr ) ) {
DEBUG ( 1 , ( __location__ " : Error while clearing service "
" principal listings in LDAP. \n " ) ) ;
2018-11-21 10:59:31 +01:00
ret = - 1 ;
2004-06-17 21:39:51 +00:00
goto out ;
}
out :
2004-06-18 02:07:42 +00:00
if ( keytab ) {
krb5_kt_close ( context , keytab ) ;
}
if ( context ) {
krb5_free_context ( context ) ;
}
2004-06-17 21:39:51 +00:00
return ret ;
}
2004-06-18 23:15:42 +00:00
/**********************************************************************
Adds all the required service principals to the system keytab .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-06-17 21:39:51 +00:00
int ads_keytab_create_default ( ADS_STRUCT * ads )
{
2004-06-18 23:15:42 +00:00
krb5_error_code ret = 0 ;
krb5_context context = NULL ;
krb5_keytab keytab = NULL ;
2015-03-04 10:09:51 +01:00
krb5_kt_cursor cursor = { 0 } ;
2015-03-04 10:09:18 +01:00
krb5_keytab_entry kt_entry = { 0 } ;
2004-06-17 21:39:51 +00:00
krb5_kvno kvno ;
2014-09-24 10:51:33 +02:00
size_t found = 0 ;
2006-07-11 18:45:22 +00:00
char * sam_account_name , * upn ;
2005-03-11 20:59:16 +00:00
char * * oldEntries = NULL , * princ_s [ 26 ] ;
2014-09-24 10:51:33 +02:00
TALLOC_CTX * frame ;
2010-08-18 06:09:27 -04:00
char * machine_name ;
2014-09-24 10:51:33 +02:00
char * * spn_array ;
size_t num_spns ;
size_t i ;
2018-01-12 14:22:34 +00:00
bool ok = false ;
2014-09-24 10:51:33 +02:00
ADS_STATUS status ;
2006-07-11 18:45:22 +00:00
2015-05-02 13:44:52 +03:00
ZERO_STRUCT ( kt_entry ) ;
ZERO_STRUCT ( cursor ) ;
2014-09-24 10:51:33 +02:00
frame = talloc_stackframe ( ) ;
if ( frame = = NULL ) {
ret = - 1 ;
goto done ;
}
status = ads_get_service_principal_names ( frame ,
ads ,
lp_netbios_name ( ) ,
& spn_array ,
& num_spns ) ;
if ( ! ADS_ERR_OK ( status ) ) {
ret = - 1 ;
goto done ;
2004-06-17 21:39:51 +00:00
}
2006-07-11 18:45:22 +00:00
2014-09-24 10:51:33 +02:00
for ( i = 0 ; i < num_spns ; i + + ) {
char * srv_princ ;
char * p ;
srv_princ = strlower_talloc ( frame , spn_array [ i ] ) ;
if ( srv_princ = = NULL ) {
ret = - 1 ;
goto done ;
}
p = strchr_m ( srv_princ , ' / ' ) ;
if ( p = = NULL ) {
continue ;
}
p [ 0 ] = ' \0 ' ;
/* Add the SPNs found on the DC */
2018-02-09 14:07:27 +00:00
ret = ads_keytab_add_entry ( ads , srv_princ , false ) ;
2014-09-24 10:51:33 +02:00
if ( ret ! = 0 ) {
DEBUG ( 1 , ( " ads_keytab_add_entry failed while "
" adding '%s' principal. \n " ,
spn_array [ i ] ) ) ;
goto done ;
}
}
2006-07-11 18:45:22 +00:00
2010-08-18 06:09:27 -04:00
#if 0 /* don't create the CIFS/... keytab entries since no one except smbd
really needs them and we will fall back to verifying against
secrets . tdb */
2018-02-09 14:07:27 +00:00
ret = ads_keytab_add_entry ( ads , " cifs " , false ) ) ;
2010-08-18 06:09:27 -04:00
if ( ret ! = 0 ) {
DEBUG ( 1 , ( __location__ " : ads_keytab_add_entry failed while "
" adding 'cifs'. \n " ) ) ;
2004-06-17 21:39:51 +00:00
return ret ;
}
2006-07-11 18:45:22 +00:00
# endif
2004-06-17 21:39:51 +00:00
2010-08-18 06:09:27 -04:00
memset ( princ_s , ' \0 ' , sizeof ( princ_s ) ) ;
2018-12-05 11:16:42 +01:00
ret = smb_krb5_init_context_common ( & context ) ;
2010-08-18 06:09:27 -04:00
if ( ret ) {
2018-12-05 11:16:42 +01:00
DBG_ERR ( " kerberos init context failed (%s) \n " ,
error_message ( ret ) ) ;
2010-08-18 06:09:27 -04:00
goto done ;
}
2007-01-02 21:29:09 +00:00
2014-09-24 10:51:33 +02:00
machine_name = talloc_strdup ( frame , lp_netbios_name ( ) ) ;
2010-08-18 06:09:27 -04:00
if ( ! machine_name ) {
ret = - 1 ;
goto done ;
2006-07-11 18:45:22 +00:00
}
2010-08-18 06:09:27 -04:00
/* now add the userPrincipalName and sAMAccountName entries */
2018-01-12 14:22:34 +00:00
ok = ads_has_samaccountname ( ads , frame , machine_name ) ;
if ( ! ok ) {
2010-08-18 06:09:27 -04:00
DEBUG ( 0 , ( __location__ " : unable to determine machine "
" account's name in AD! \n " ) ) ;
ret = - 1 ;
goto done ;
}
2007-01-02 21:29:09 +00:00
2018-01-12 14:22:34 +00:00
/*
* append ' $ ' to netbios name so ' ads_keytab_add_entry ' recognises
* it as a machine account rather than a service or Windows SPN .
*/
sam_account_name = talloc_asprintf ( frame , " %s$ " , machine_name ) ;
if ( sam_account_name = = NULL ) {
ret = - 1 ;
goto done ;
}
2010-08-18 06:09:27 -04:00
/* upper case the sAMAccountName to make it easier for apps to
know what case to use in the keytab file */
2012-08-08 15:35:28 -07:00
if ( ! strupper_m ( sam_account_name ) ) {
ret = - 1 ;
goto done ;
}
2007-01-02 21:29:09 +00:00
2018-02-09 14:07:27 +00:00
ret = ads_keytab_add_entry ( ads , sam_account_name , false ) ;
2010-08-18 06:09:27 -04:00
if ( ret ! = 0 ) {
DEBUG ( 1 , ( __location__ " : ads_keytab_add_entry() failed "
" while adding sAMAccountName (%s) \n " ,
sam_account_name ) ) ;
goto done ;
2006-07-11 18:45:22 +00:00
}
2010-08-18 06:09:27 -04:00
2006-07-11 18:45:22 +00:00
/* remember that not every machine account will have a upn */
2014-09-24 10:51:33 +02:00
upn = ads_get_upn ( ads , frame , machine_name ) ;
2010-08-18 06:09:27 -04:00
if ( upn ) {
2018-02-09 14:07:27 +00:00
ret = ads_keytab_add_entry ( ads , upn , false ) ;
2010-08-18 06:09:27 -04:00
if ( ret ! = 0 ) {
DEBUG ( 1 , ( __location__ " : ads_keytab_add_entry() "
" failed while adding UPN (%s) \n " , upn ) ) ;
goto done ;
2004-10-30 00:34:58 +00:00
}
}
2010-08-18 06:09:27 -04:00
/* Now loop through the keytab and update any other existing entries */
kvno = ( krb5_kvno ) ads_get_machine_kvno ( ads , machine_name ) ;
2014-09-24 10:51:33 +02:00
if ( kvno = = ( krb5_kvno ) - 1 ) {
2010-08-18 06:09:27 -04:00
DEBUG ( 1 , ( __location__ " : ads_get_machine_kvno() failed to "
" determine the system's kvno. \n " ) ) ;
goto done ;
2004-06-17 21:39:51 +00:00
}
2004-06-18 23:15:42 +00:00
2010-08-18 06:09:27 -04:00
DEBUG ( 3 , ( __location__ " : Searching for keytab entries to preserve "
" and update. \n " ) ) ;
2007-06-29 09:54:39 +00:00
2017-03-13 16:24:52 +01:00
ret = ads_keytab_open ( context , & keytab ) ;
if ( ret ! = 0 ) {
2007-06-29 09:58:11 +00:00
goto done ;
2004-06-17 21:39:51 +00:00
}
ret = krb5_kt_start_seq_get ( context , keytab , & cursor ) ;
if ( ret ! = KRB5_KT_END & & ret ! = ENOENT ) {
2010-08-18 06:09:27 -04:00
while ( ( ret = krb5_kt_next_entry ( context , keytab ,
& kt_entry , & cursor ) ) = = 0 ) {
2004-06-24 05:56:44 +00:00
smb_krb5_kt_free_entry ( context , & kt_entry ) ;
2004-06-18 23:15:42 +00:00
ZERO_STRUCT ( kt_entry ) ;
2004-06-17 21:39:51 +00:00
found + + ;
}
}
2004-06-18 23:15:42 +00:00
krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
2004-06-24 19:48:52 +00:00
ZERO_STRUCT ( cursor ) ;
2004-06-17 21:39:51 +00:00
2004-06-18 23:15:42 +00:00
/*
2010-08-18 06:09:27 -04:00
* Hmmm . There is no " rewind " function for the keytab . This means we
* have a race condition where someone else could add entries after
* we ' ve counted them . Re - open asap to minimise the race . JRA .
2004-06-18 23:15:42 +00:00
*/
2014-09-24 10:51:33 +02:00
DEBUG ( 3 , ( __location__ " : Found %zd entries in the keytab. \n " , found ) ) ;
2004-06-17 21:39:51 +00:00
if ( ! found ) {
goto done ;
}
2010-08-18 06:09:27 -04:00
2014-11-12 17:21:05 +01:00
oldEntries = talloc_zero_array ( frame , char * , found + 1 ) ;
2004-06-17 21:39:51 +00:00
if ( ! oldEntries ) {
2010-08-18 06:09:27 -04:00
DEBUG ( 1 , ( __location__ " : Failed to allocate space to store "
" the old keytab entries (talloc failed?). \n " ) ) ;
2004-06-18 23:15:42 +00:00
ret = - 1 ;
goto done ;
2004-06-17 21:39:51 +00:00
}
ret = krb5_kt_start_seq_get ( context , keytab , & cursor ) ;
2010-08-18 06:09:27 -04:00
if ( ret = = KRB5_KT_END | | ret = = ENOENT ) {
krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
ZERO_STRUCT ( cursor ) ;
goto done ;
}
2004-06-18 23:15:42 +00:00
2010-08-18 06:09:27 -04:00
while ( krb5_kt_next_entry ( context , keytab , & kt_entry , & cursor ) = = 0 ) {
if ( kt_entry . vno ! = kvno ) {
char * ktprinc = NULL ;
char * p ;
2004-10-30 00:34:58 +00:00
2010-08-18 06:09:27 -04:00
/* This returns a malloc'ed string in ktprinc. */
ret = smb_krb5_unparse_name ( oldEntries , context ,
kt_entry . principal ,
& ktprinc ) ;
if ( ret ) {
DEBUG ( 1 , ( __location__
" : smb_krb5_unparse_name failed "
" (%s) \n " , error_message ( ret ) ) ) ;
goto done ;
}
/*
* From looking at the krb5 source they don ' t seem to
* take locale or mb strings into account .
* Maybe this is because they assume utf8 ?
* In this case we may need to convert from utf8 to
* mb charset here ? JRA .
*/
p = strchr_m ( ktprinc , ' @ ' ) ;
if ( p ) {
* p = ' \0 ' ;
}
p = strchr_m ( ktprinc , ' / ' ) ;
if ( p ) {
* p = ' \0 ' ;
}
for ( i = 0 ; i < found ; i + + ) {
if ( ! oldEntries [ i ] ) {
oldEntries [ i ] = ktprinc ;
break ;
2004-06-17 21:39:51 +00:00
}
2010-08-18 06:09:27 -04:00
if ( ! strcmp ( oldEntries [ i ] , ktprinc ) ) {
2009-03-18 16:23:27 +11:00
TALLOC_FREE ( ktprinc ) ;
2010-08-18 06:09:27 -04:00
break ;
2004-06-23 00:20:31 +00:00
}
2004-06-17 21:39:51 +00:00
}
2010-08-18 06:09:27 -04:00
if ( i = = found ) {
TALLOC_FREE ( ktprinc ) ;
}
2004-06-17 21:39:51 +00:00
}
2010-08-18 06:09:27 -04:00
smb_krb5_kt_free_entry ( context , & kt_entry ) ;
ZERO_STRUCT ( kt_entry ) ;
2004-06-17 21:39:51 +00:00
}
2015-05-02 13:44:53 +03:00
krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
ZERO_STRUCT ( cursor ) ;
2010-08-18 06:09:27 -04:00
ret = 0 ;
for ( i = 0 ; oldEntries [ i ] ; i + + ) {
2018-02-09 14:07:27 +00:00
ret | = ads_keytab_add_entry ( ads , oldEntries [ i ] , false ) ;
2010-08-18 06:09:27 -04:00
TALLOC_FREE ( oldEntries [ i ] ) ;
}
2004-06-17 21:39:51 +00:00
done :
2009-03-18 16:23:27 +11:00
TALLOC_FREE ( oldEntries ) ;
2014-09-24 10:51:33 +02:00
TALLOC_FREE ( frame ) ;
2004-06-18 23:15:42 +00:00
2016-06-08 14:50:59 -07:00
if ( context ) {
2016-12-31 12:45:51 +00:00
if ( ! all_zero ( ( uint8_t * ) & kt_entry , sizeof ( kt_entry ) ) ) {
2004-06-24 05:56:44 +00:00
smb_krb5_kt_free_entry ( context , & kt_entry ) ;
2004-06-18 23:15:42 +00:00
}
2016-12-31 12:45:51 +00:00
if ( ! all_zero ( ( uint8_t * ) & cursor , sizeof ( cursor ) ) & & keytab ) {
2010-08-18 06:09:27 -04:00
krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
2004-06-24 19:48:52 +00:00
}
2016-06-08 14:50:59 -07:00
if ( keytab ) {
krb5_kt_close ( context , keytab ) ;
}
2004-06-18 23:15:42 +00:00
krb5_free_context ( context ) ;
}
2004-06-17 21:39:51 +00:00
return ret ;
}
2007-04-23 08:40:54 +00:00
2011-04-15 12:37:55 +02:00
# endif /* HAVE_ADS */
2007-04-23 08:40:54 +00:00
/**********************************************************************
List system keytab .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-06-29 09:01:29 +00:00
int ads_keytab_list ( const char * keytab_name )
2007-04-23 08:40:54 +00:00
{
krb5_error_code ret = 0 ;
krb5_context context = NULL ;
krb5_keytab keytab = NULL ;
krb5_kt_cursor cursor ;
krb5_keytab_entry kt_entry ;
ZERO_STRUCT ( kt_entry ) ;
ZERO_STRUCT ( cursor ) ;
2018-12-05 11:16:42 +01:00
ret = smb_krb5_init_context_common ( & context ) ;
2007-04-23 08:40:54 +00:00
if ( ret ) {
2018-12-05 11:16:42 +01:00
DBG_ERR ( " kerberos init context failed (%s) \n " ,
error_message ( ret ) ) ;
2007-04-23 08:40:54 +00:00
return ret ;
}
2007-06-29 08:56:35 +00:00
2017-11-23 15:55:21 +00:00
if ( keytab_name = = NULL ) {
2018-02-03 07:07:24 +01:00
# ifdef HAVE_ADS
2017-11-23 15:55:21 +00:00
ret = ads_keytab_open ( context , & keytab ) ;
2018-02-03 07:07:24 +01:00
# else
ret = ENOENT ;
# endif
2017-11-23 15:55:21 +00:00
} else {
ret = smb_krb5_kt_open ( context , keytab_name , False , & keytab ) ;
}
2007-04-23 08:40:54 +00:00
if ( ret ) {
2016-08-29 11:03:51 +02:00
DEBUG ( 1 , ( " smb_krb5_kt_open failed (%s) \n " ,
2010-08-18 06:46:53 -04:00
error_message ( ret ) ) ) ;
2007-04-23 08:40:54 +00:00
goto out ;
}
ret = krb5_kt_start_seq_get ( context , keytab , & cursor ) ;
if ( ret ) {
2010-08-31 14:27:56 +02:00
ZERO_STRUCT ( cursor ) ;
2007-04-23 08:40:54 +00:00
goto out ;
}
2012-01-06 17:48:58 +01:00
printf ( " Vno Type Principal \n " ) ;
2007-04-23 08:40:54 +00:00
while ( krb5_kt_next_entry ( context , keytab , & kt_entry , & cursor ) = = 0 ) {
2010-08-18 06:46:53 -04:00
2007-04-23 08:40:54 +00:00
char * princ_s = NULL ;
char * etype_s = NULL ;
krb5_enctype enctype = 0 ;
2010-08-18 06:46:53 -04:00
ret = smb_krb5_unparse_name ( talloc_tos ( ) , context ,
kt_entry . principal , & princ_s ) ;
2007-04-23 08:40:54 +00:00
if ( ret ) {
goto out ;
}
2016-08-29 09:17:37 +02:00
enctype = smb_krb5_kt_get_enctype_from_entry ( & kt_entry ) ;
2007-04-23 08:40:54 +00:00
ret = smb_krb5_enctype_to_string ( context , enctype , & etype_s ) ;
2010-08-18 06:46:53 -04:00
if ( ret & &
( asprintf ( & etype_s , " UNKNOWN: %d \n " , enctype ) = = - 1 ) ) {
TALLOC_FREE ( princ_s ) ;
goto out ;
2007-04-23 08:40:54 +00:00
}
2012-01-06 17:48:58 +01:00
printf ( " %3d %-43s %s \n " , kt_entry . vno , etype_s , princ_s ) ;
2007-04-23 08:40:54 +00:00
2009-03-18 16:23:27 +11:00
TALLOC_FREE ( princ_s ) ;
2007-04-23 08:40:54 +00:00
SAFE_FREE ( etype_s ) ;
ret = smb_krb5_kt_free_entry ( context , & kt_entry ) ;
if ( ret ) {
goto out ;
}
}
ret = krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
if ( ret ) {
goto out ;
}
/* Ensure we don't double free. */
ZERO_STRUCT ( kt_entry ) ;
ZERO_STRUCT ( cursor ) ;
out :
2016-12-31 12:45:51 +00:00
if ( ! all_zero ( ( uint8_t * ) & kt_entry , sizeof ( kt_entry ) ) ) {
smb_krb5_kt_free_entry ( context , & kt_entry ) ;
2007-04-23 08:40:54 +00:00
}
2016-12-31 12:45:51 +00:00
if ( ! all_zero ( ( uint8_t * ) & cursor , sizeof ( cursor ) ) & & keytab ) {
krb5_kt_end_seq_get ( context , keytab , & cursor ) ;
2007-04-23 08:40:54 +00:00
}
if ( keytab ) {
krb5_kt_close ( context , keytab ) ;
}
if ( context ) {
krb5_free_context ( context ) ;
}
return ret ;
}
2004-06-17 21:39:51 +00:00
# endif /* HAVE_KRB5 */