2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 2 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program; if not, write to the Free Software
24 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
33 Adds a single service principal, i.e. 'host' to the system keytab
35 int ads_keytab_add_entry(const char *srvPrinc, ADS_STRUCT *ads)
40 krb5_kt_cursor cursor;
41 krb5_keytab_entry entry;
44 krb5_enctype *enctypes = NULL;
48 char *principal = NULL;
50 char *password_s = NULL;
51 char keytab_name[MAX_KEYTAB_NAME_LEN]; /* This MAX_NAME_LEN is a constant defined in krb5.h */
58 initialize_krb5_error_table();
59 ret = krb5_init_context(&context);
61 DEBUG(1,("could not krb5_init_context: %s\n",error_message(ret)));
64 #ifdef HAVE_WRFILE_KEYTAB /* MIT */
67 ret = krb5_kt_default_name(context, (char *) &keytab_name[2], MAX_KEYTAB_NAME_LEN - 4);
69 ret = krb5_kt_default_name(context, (char *) &keytab_name[0], MAX_KEYTAB_NAME_LEN - 2);
72 DEBUG(1,("krb5_kt_default_name failed (%s)\n", error_message(ret)));
74 DEBUG(1,("Using default system keytab: %s\n", (char *) &keytab_name));
75 ret = krb5_kt_resolve(context, (char *) &keytab_name, &keytab);
77 DEBUG(1,("krb5_kt_resolve failed (%s)\n", error_message(ret)));
81 ret = get_kerberos_allowed_etypes(context,&enctypes);
83 DEBUG(1,("get_kerberos_allowed_etypes failed (%s)\n",error_message(ret)));
87 /* retrieve the password */
88 if (!secrets_init()) {
89 DEBUG(1,("secrets_init failed\n"));
93 password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
95 DEBUG(1,("failed to fetch machine password\n"));
99 password.data = password_s;
100 password.length = strlen(password_s);
102 /* Construct our principal */
103 fstrcpy(myname, global_myname());
104 hp = gethostbyname(myname);
105 if ( hp->h_name && strlen(hp->h_name) > 0 ) {
106 fstrcpy(myname,hp->h_name);
109 asprintf(&princ_s, "%s/%s@%s", srvPrinc, myname, lp_realm());
111 ret = krb5_parse_name(context, princ_s, &princ);
113 DEBUG(1,("krb5_parse_name(%s) failed (%s)\n", princ_s, error_message(ret)));
117 kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
118 if (kvno == -1) { /* -1 indicates failure, everything else is OK */
119 DEBUG(1,("ads_get_kvno failed to determine the system's kvno.\n"));
124 /* Seek and delete old keytab entries */
125 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
126 if (ret != KRB5_KT_END && ret != ENOENT ) {
127 DEBUG(1,("Will try to delete old keytab entries\n"));
128 while(!krb5_kt_next_entry(context, keytab, &entry, &cursor)) {
130 krb5_unparse_name(context, entry.principal, &ktprinc);
132 /*---------------------------------------------------------------------------
133 * Save the entries with kvno - 1. This is what microsoft does
134 * to allow people with existing sessions that have kvno - 1 to still
135 * work. Otherwise, when the password for the machine changes, all
136 * kerberizied sessions will 'break' until either the client reboots or
137 * the client's session key expires and they get a new session ticket
141 #ifdef HAVE_KRB5_KT_COMPARE
142 if (krb5_kt_compare(context, &entry, princ, 0, 0) == True && entry.vno != kvno - 1) {
144 if (strcmp(ktprinc, princ_s) == 0 && entry.vno != kvno - 1) {
147 DEBUG(1,("Found old entry for principal: %s (kvno %d) - trying to remove it.\n",
148 princ_s, entry.vno));
149 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
151 DEBUG(1,("krb5_kt_end_seq_get() failed (%s)\n", error_message(ret)));
154 ret = krb5_kt_remove_entry(context, keytab, &entry);
156 DEBUG(1,("krb5_kt_remove_entry failed (%s)\n", error_message(ret)));
159 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
161 DEBUG(1,("krb5_kt_start_seq failed (%s)\n", error_message(ret)));
164 ret = krb5_kt_free_entry(context, &entry);
166 DEBUG(1,("krb5_kt_remove_entry failed (%s)\n", error_message(ret)));
174 ret = krb5_kt_free_entry(context, &entry);
176 DEBUG(1,("krb5_kt_free_entry failed (%s)\n", error_message(ret)));
181 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
183 DEBUG(1,("krb5_kt_end_seq_get failed (%s)\n",error_message(ret)));
188 /* Add keytab entries for all encryption types */
189 for (i = 0; enctypes[i]; i++) {
191 key = (krb5_keyblock *) malloc(sizeof(*key));
193 DEBUG(1,("Failed to allocate memory to store the keyblock.\n"));
198 if (create_kerberos_key_from_string(context, princ, &password, key, enctypes[i])) {
202 entry.principal = princ;
205 #if !defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) && !defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK)
206 #error krb5_keytab_entry has no key or keyblock member
208 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
211 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
212 entry.keyblock = *key;
214 DEBUG(3,("adding keytab entry for (%s) with encryption type (%d) and version (%d)\n",
215 princ_s, enctypes[i], entry.vno));
216 ret = krb5_kt_add_entry(context, keytab, &entry);
217 krb5_free_keyblock(context, key);
219 DEBUG(1,("adding entry to keytab failed (%s)\n", error_message(ret)));
220 krb5_kt_close(context, keytab);
225 /* Update the LDAP with the SPN */
226 DEBUG(1,("Attempting to add/update '%s'\n", princ_s));
227 if (!ADS_ERR_OK(ads_add_spn(ads, global_myname(), srvPrinc))) {
228 DEBUG(1,("ads_add_spn failed.\n"));
234 krb5_kt_close(context, keytab);
235 krb5_free_principal(context, princ);
254 Flushes all entries from the system keytab.
256 int ads_keytab_flush(ADS_STRUCT *ads)
259 krb5_context context;
261 krb5_kt_cursor cursor;
262 krb5_keytab_entry entry;
264 char keytab_name[MAX_KEYTAB_NAME_LEN];
266 initialize_krb5_error_table();
267 ret = krb5_init_context(&context);
269 DEBUG(1,("could not krb5_init_context: %s\n",error_message(ret)));
272 #ifdef HAVE_WRFILE_KEYTAB
273 keytab_name[0] = 'W';
274 keytab_name[1] = 'R';
275 ret = krb5_kt_default_name(context, (char *) &keytab_name[2], MAX_KEYTAB_NAME_LEN - 4);
277 ret = krb5_kt_default_name(context, (char *) &keytab_name[0], MAX_KEYTAB_NAME_LEN - 2);
280 DEBUG(1,("krb5_kt_default failed (%s)\n", error_message(ret)));
283 DEBUG(1,("Using default keytab: %s\n", (char *) &keytab_name));
284 ret = krb5_kt_resolve(context, (char *) &keytab_name, &keytab);
286 DEBUG(1,("krb5_kt_default failed (%s)\n", error_message(ret)));
289 DEBUG(1,("Using default keytab: %s\n", (char *) &keytab_name));
290 ret = krb5_kt_resolve(context, (char *) &keytab_name, &keytab);
292 DEBUG(1,("krb5_kt_default failed (%s)\n", error_message(ret)));
296 kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
297 if (kvno == -1) { /* -1 indicates a failure */
298 DEBUG(1,("Error determining the system's kvno.\n"));
302 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
303 if (ret != KRB5_KT_END && ret != ENOENT) {
304 while (!krb5_kt_next_entry(context, keytab, &entry, &cursor)) {
305 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
307 DEBUG(1,("krb5_kt_end_seq_get() failed (%s)\n",error_message(ret)));
310 ret = krb5_kt_remove_entry(context, keytab, &entry);
312 DEBUG(1,("krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
315 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
317 DEBUG(1,("krb5_kt_start_seq failed (%s)\n",error_message(ret)));
320 ret = krb5_kt_free_entry(context, &entry);
322 DEBUG(1,("krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
327 if (!ADS_ERR_OK(ads_clear_spns(ads, global_myname()))) {
328 DEBUG(1,("Error while clearing service principal listings in LDAP.\n"));
334 krb5_kt_close(context, keytab);
339 int ads_keytab_create_default(ADS_STRUCT *ads)
342 krb5_context context;
344 krb5_kt_cursor cursor;
345 krb5_keytab_entry entry;
351 ret = ads_keytab_add_entry("host", ads);
353 DEBUG(1,("ads_keytab_add_entry failed while adding 'host'.\n"));
356 ret = ads_keytab_add_entry("cifs", ads);
358 DEBUG(1,("ads_keytab_add_entry failed while adding 'cifs'.\n"));
362 kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
364 DEBUG(1,("ads_get_kvno failed to determine the system's kvno.\n"));
368 DEBUG(1,("Searching for keytab entries to preserve and update.\n"));
369 /* Now loop through the keytab and update any other existing entries... */
370 initialize_krb5_error_table();
371 ret = krb5_init_context(&context);
373 DEBUG(1,("could not krb5_init_context: %s\n",error_message(ret)));
376 ret = krb5_kt_default(context, &keytab);
378 DEBUG(1,("krb5_kt_default failed (%s)\n",error_message(ret)));
382 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
383 if (ret != KRB5_KT_END && ret != ENOENT ) {
384 while ((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
389 DEBUG(1, ("Found %d entries in the keytab.\n", found));
393 oldEntries = (char **) malloc(found * sizeof(char *));
395 DEBUG(1,("Failed to allocate space to store the old keytab entries (malloc failed?).\n"));
398 memset(oldEntries, 0, found * sizeof(char *));
400 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
401 if (ret != KRB5_KT_END && ret != ENOENT ) {
402 while ((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
403 if (entry.vno != kvno) {
404 krb5_unparse_name(context, entry.principal, &ktprinc);
405 for (i = 0; *(ktprinc + i); i++) {
406 if (*(ktprinc + i) == '/') {
407 *(ktprinc + i) = (char) NULL;
411 for (i = 0; i < found; i++) {
412 if (!oldEntries[i]) {
413 oldEntries[i] = ktprinc;
416 if (!strcmp(oldEntries[i], ktprinc)) {
422 for (i = 0; oldEntries[i]; i++) {
423 ret |= ads_keytab_add_entry(oldEntries[i], ads);
431 krb5_kt_close(context, keytab);
434 #endif /* HAVE_KRB5 */