From d4155f8a99849ea60a75d68458eb8b051f80d649 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 20 Dec 2023 11:18:13 +1300 Subject: [PATCH] Make "samba-tool domain exportkeytab" prune old keys This slowly prepares this to be an update tool, not just a one-off export tool Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton --- source4/libnet/libnet_export_keytab.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c index 21aae7b400e..c0b91476580 100644 --- a/source4/libnet/libnet_export_keytab.c +++ b/source4/libnet/libnet_export_keytab.c @@ -20,7 +20,10 @@ #include "includes.h" #include "system/kerberos.h" +#include "auth/credentials/credentials.h" #include "auth/kerberos/kerberos.h" +#include "auth/kerberos/kerberos_credentials.h" +#include "auth/kerberos/kerberos_util.h" #include "kdc/samba_kdc.h" #include "libnet/libnet_export_keytab.h" @@ -77,6 +80,7 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx, for (; code == 0; code = samba_kdc_nextkey(context, db_ctx, &sentry)) { int i; + bool found_previous = false; code = krb5_unparse_name(context, sentry.principal, @@ -89,6 +93,23 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx, goto done; } + if (copy_one_principal) { + code = smb_krb5_remove_obsolete_keytab_entries(mem_ctx, + context, + keytab, + 1, &sentry.principal, + sentry.kvno, + &found_previous, + error_string); + if (code != 0) { + *error_string = talloc_asprintf(mem_ctx, + "Failed to remove old principals from keytab: %s\n", + *error_string); + status = NT_STATUS_UNSUCCESSFUL; + goto done; + } + } + if (sentry.keys.len == 0) { SAFE_FREE(entry_principal); sdb_entry_free(&sentry);