samba-tool: Add option --keep-stale-entries to "samba-tool domain exportkeytab"

This will keep stale keys in the keytab, which may be useful for wireshark
but is not correct if the keytab is used for accepting Kerberos tickets,
as tickets encrypted with old passwords would still be accepted.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

python/samba/netcmd/domain/keytab.py

@@ -46,6 +46,7 @@ else:
 
         takes_options = [
             Option("--principal", help="extract only this principal", type=str),
+            Option("--keep-stale-entries", help="keep stale keys in keytab (useful for collecting keys for Wireshark)", action="store_true"),
         ]
 
         takes_args = ["keytab"]
@@ -56,8 +57,12 @@ else:
                 sambaopts=None,
                 versionopts=None,
                 hostopts=None,
-                principal=None):
+                principal=None,
+                keep_stale_entries=None):
             lp = sambaopts.get_loadparm()
             net = Net(None, lp)
             samdb = self.ldb_connect(hostopts, sambaopts, credopts)
-            net.export_keytab(samdb=samdb, keytab=keytab, principal=principal)
+            net.export_keytab(samdb=samdb,
+                              keytab=keytab,
+                              principal=principal,
+                              keep_stale_entries=keep_stale_entries)

source4/libnet/libnet_export_keytab.c

@@ -35,6 +35,7 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
 			    struct samba_kdc_db_context *db_ctx,
 			    const char *keytab_name,
 			    const char *principal,
+			    bool keep_stale_entries,
 			    const char **error_string)
 {
 	struct sdb_entry sentry = {};
@@ -100,7 +101,7 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
 			goto done;
 		}
 
-		if (copy_one_principal) {
+		if (!keep_stale_entries) {
 			code = smb_krb5_remove_obsolete_keytab_entries(mem_ctx,
 								       context,
 								       keytab,
@@ -238,6 +239,8 @@ NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, s
 	const char *error_string = NULL;
 	NTSTATUS status;
 
+	bool keep_stale_entries = r->in.keep_stale_entries;
+
 	ret = smb_krb5_init_context(ctx, ctx->lp_ctx, &smb_krb5_context);
 	if (ret) {
 		return NT_STATUS_NO_MEMORY;
@@ -259,23 +262,27 @@ NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, s
 
 	if (r->in.principal != NULL) {
 		DEBUG(0, ("Export one principal to %s\n", r->in.keytab_name));
-		status = sdb_kt_copy(mem_ctx,
-				     smb_krb5_context,
-				     db_ctx,
-				     r->in.keytab_name,
-				     r->in.principal,
-				     &error_string);
 	} else {
-		unlink(r->in.keytab_name);
 		DEBUG(0, ("Export complete keytab to %s\n", r->in.keytab_name));
-		status = sdb_kt_copy(mem_ctx,
-				     smb_krb5_context,
-				     db_ctx,
-				     r->in.keytab_name,
-				     NULL,
-				     &error_string);
+		if (!keep_stale_entries) {
+			unlink(r->in.keytab_name);
+			/*
+			 * No point looking for old
+			 * keys in a empty file
+			 */
+			keep_stale_entries = true;
+		}
 	}
 
+
+	status = sdb_kt_copy(mem_ctx,
+			     smb_krb5_context,
+			     db_ctx,
+			     r->in.keytab_name,
+			     r->in.principal,
+			     keep_stale_entries,
+			     &error_string);
+
 	talloc_free(db_ctx);
 	talloc_free(base_ctx);
 

source4/libnet/libnet_export_keytab.h

@@ -24,6 +24,7 @@ struct libnet_export_keytab {
 		const char *keytab_name;
 		const char *principal;
 		struct ldb_context *samdb;
+		bool keep_stale_entries;
 	} in;
 	struct {
 		const char *error_string;

source4/libnet/py_net_dckeytab.c

@@ -35,17 +35,30 @@ static PyObject *py_net_export_keytab(py_net_Object *self, PyObject *args, PyObj
 	struct libnet_export_keytab r;
 	PyObject *py_samdb = NULL;
 	TALLOC_CTX *mem_ctx;
-	const char *kwnames[] = { "keytab", "samdb", "principal", NULL };
+	const char *kwnames[] = { "keytab",
+				  "samdb",
+				  "principal",
+				  "keep_stale_entries",
+				  NULL };
 	NTSTATUS status;
+	/*
+	 * int, with values true or false, to match expectation of
+	 * PyArg_ParseTupleAndKeywords()
+	 */
+	int keep_stale_entries = false;
+
 	r.in.principal = NULL;
 
-	if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s|Oz:export_keytab", discard_const_p(char *, kwnames),
+	if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s|Ozp:export_keytab", discard_const_p(char *, kwnames),
 					 &r.in.keytab_name,
 					 &py_samdb,
-					 &r.in.principal)) {
+					 &r.in.principal,
+					 &keep_stale_entries)) {
 		return NULL;
 	}
 
+	r.in.keep_stale_entries = keep_stale_entries;
+
 	if (py_samdb == NULL) {
 		r.in.samdb = NULL;
 	} else {