2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
12 Copyright (C) Gerald Carter 2006
14 This program is free software; you can redistribute it and/or modify
15 it under the terms of the GNU General Public License as published by
16 the Free Software Foundation; either version 3 of the License, or
17 (at your option) any later version.
19 This program is distributed in the hope that it will be useful,
20 but WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 GNU General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program. If not, see <http://www.gnu.org/licenses/>.
37 /* This MAX_NAME_LEN is a constant defined in krb5.h */
38 #ifndef MAX_KEYTAB_NAME_LEN
39 #define MAX_KEYTAB_NAME_LEN 1100
42 static krb5_error_code ads_keytab_open(krb5_context context,
45 char keytab_str[MAX_KEYTAB_NAME_LEN] = {0};
46 const char *keytab_name = NULL;
47 krb5_error_code ret = 0;
49 switch (lp_kerberos_method()) {
50 case KERBEROS_VERIFY_SYSTEM_KEYTAB:
51 case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
52 ret = krb5_kt_default_name(context,
54 sizeof(keytab_str) - 2);
56 DBG_WARNING("Failed to get default keytab name");
59 keytab_name = keytab_str;
61 case KERBEROS_VERIFY_DEDICATED_KEYTAB:
62 keytab_name = lp_dedicated_keytab_file();
65 DBG_ERR("Invalid kerberos method set (%d)\n",
66 lp_kerberos_method());
67 ret = KRB5_KT_BADNAME;
71 if (keytab_name == NULL || keytab_name[0] == '\0') {
72 DBG_ERR("Invalid keytab name\n");
73 ret = KRB5_KT_BADNAME;
77 ret = smb_krb5_kt_open(context, keytab_name, true, keytab);
79 DBG_WARNING("smb_krb5_kt_open failed (%s)\n",
88 /**********************************************************************
89 Adds a single service principal, i.e. 'host' to the system keytab
90 ***********************************************************************/
92 int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
94 krb5_error_code ret = 0;
95 krb5_context context = NULL;
96 krb5_keytab keytab = NULL;
99 krb5_enctype enctypes[6] = {
102 #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
103 ENCTYPE_AES128_CTS_HMAC_SHA1_96,
105 #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
106 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
108 ENCTYPE_ARCFOUR_HMAC,
111 char *princ_s = NULL;
112 char *short_princ_s = NULL;
113 char *salt_princ_s = NULL;
114 char *password_s = NULL;
116 TALLOC_CTX *tmpctx = NULL;
120 initialize_krb5_error_table();
121 ret = krb5_init_context(&context);
123 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
124 error_message(ret)));
128 ret = ads_keytab_open(context, &keytab);
133 /* retrieve the password */
134 if (!secrets_init()) {
135 DEBUG(1, (__location__ ": secrets_init failed\n"));
139 password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
141 DEBUG(1, (__location__ ": failed to fetch machine password\n"));
145 ZERO_STRUCT(password);
146 password.data = password_s;
147 password.length = strlen(password_s);
149 /* we need the dNSHostName value here */
150 tmpctx = talloc_init(__location__);
152 DEBUG(0, (__location__ ": talloc_init() failed!\n"));
157 my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
159 DEBUG(0, (__location__ ": unable to determine machine "
160 "account's dns name in AD!\n"));
165 /* make sure we have a single instance of a the computer account */
166 if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) {
167 DEBUG(0, (__location__ ": unable to determine machine "
168 "account's short name in AD!\n"));
173 /* Construct our principal */
174 if (strchr_m(srvPrinc, '@')) {
175 /* It's a fully-named principal. */
176 princ_s = talloc_asprintf(tmpctx, "%s", srvPrinc);
181 } else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
182 /* It's the machine account, as used by smbclient clients. */
183 princ_s = talloc_asprintf(tmpctx, "%s@%s",
184 srvPrinc, lp_realm());
190 /* It's a normal service principal. Add the SPN now so that we
191 * can obtain credentials for it and double-check the salt value
192 * used to generate the service's keys. */
194 princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
195 srvPrinc, my_fqdn, lp_realm());
200 short_princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
201 srvPrinc, lp_netbios_name(),
203 if (short_princ_s == NULL) {
208 /* According to http://support.microsoft.com/kb/326985/en-us,
209 certain principal names are automatically mapped to the
210 host/... principal in the AD account.
211 So only create these in the keytab, not in AD. --jerry */
213 if (!strequal(srvPrinc, "cifs") &&
214 !strequal(srvPrinc, "host")) {
215 DEBUG(3, (__location__ ": Attempting to add/update "
218 aderr = ads_add_service_principal_name(ads,
219 lp_netbios_name(), my_fqdn, srvPrinc);
220 if (!ADS_ERR_OK(aderr)) {
221 DEBUG(1, (__location__ ": failed to "
222 "ads_add_service_principal_name.\n"));
228 kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
230 /* -1 indicates failure, everything else is OK */
231 DEBUG(1, (__location__ ": ads_get_machine_kvno failed to "
232 "determine the system's kvno.\n"));
237 salt_princ_s = kerberos_secrets_fetch_salt_princ();
238 if (salt_princ_s == NULL) {
239 DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n");
244 for (i = 0; enctypes[i]; i++) {
246 /* add the fqdn principal to the keytab */
247 ret = smb_krb5_kt_add_entry(context,
257 DEBUG(1, (__location__ ": Failed to add entry to keytab\n"));
261 /* add the short principal name if we have one */
263 ret = smb_krb5_kt_add_entry(context,
273 DEBUG(1, (__location__
274 ": Failed to add short entry to keytab\n"));
281 SAFE_FREE(salt_princ_s);
285 krb5_kt_close(context, keytab);
288 krb5_free_context(context);
293 /**********************************************************************
294 Flushes all entries from the system keytab.
295 ***********************************************************************/
297 int ads_keytab_flush(ADS_STRUCT *ads)
299 krb5_error_code ret = 0;
300 krb5_context context = NULL;
301 krb5_keytab keytab = NULL;
305 initialize_krb5_error_table();
306 ret = krb5_init_context(&context);
308 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
309 error_message(ret)));
313 ret = ads_keytab_open(context, &keytab);
318 kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
320 /* -1 indicates a failure */
321 DEBUG(1, (__location__ ": Error determining the kvno.\n"));
325 /* Seek and delete old keytab entries */
326 ret = smb_krb5_kt_seek_and_delete_old_entries(context,
338 aderr = ads_clear_service_principal_names(ads, lp_netbios_name());
339 if (!ADS_ERR_OK(aderr)) {
340 DEBUG(1, (__location__ ": Error while clearing service "
341 "principal listings in LDAP.\n"));
347 krb5_kt_close(context, keytab);
350 krb5_free_context(context);
355 /**********************************************************************
356 Adds all the required service principals to the system keytab.
357 ***********************************************************************/
359 int ads_keytab_create_default(ADS_STRUCT *ads)
361 krb5_error_code ret = 0;
362 krb5_context context = NULL;
363 krb5_keytab keytab = NULL;
364 krb5_kt_cursor cursor = {0};
365 krb5_keytab_entry kt_entry = {0};
368 char *sam_account_name, *upn;
369 char **oldEntries = NULL, *princ_s[26];
378 ZERO_STRUCT(kt_entry);
381 frame = talloc_stackframe();
387 status = ads_get_service_principal_names(frame,
392 if (!ADS_ERR_OK(status)) {
397 for (i = 0; i < num_spns; i++) {
401 srv_princ = strlower_talloc(frame, spn_array[i]);
402 if (srv_princ == NULL) {
407 p = strchr_m(srv_princ, '/');
413 /* Add the SPNs found on the DC */
414 ret = ads_keytab_add_entry(ads, srv_princ);
416 DEBUG(1, ("ads_keytab_add_entry failed while "
417 "adding '%s' principal.\n",
423 #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
424 really needs them and we will fall back to verifying against
427 ret = ads_keytab_add_entry(ads, "cifs"));
429 DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
430 "adding 'cifs'.\n"));
435 memset(princ_s, '\0', sizeof(princ_s));
437 initialize_krb5_error_table();
438 ret = krb5_init_context(&context);
440 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
441 error_message(ret)));
445 machine_name = talloc_strdup(frame, lp_netbios_name());
451 /* now add the userPrincipalName and sAMAccountName entries */
452 ok = ads_has_samaccountname(ads, frame, machine_name);
454 DEBUG(0, (__location__ ": unable to determine machine "
455 "account's name in AD!\n"));
461 * append '$' to netbios name so 'ads_keytab_add_entry' recognises
462 * it as a machine account rather than a service or Windows SPN.
464 sam_account_name = talloc_asprintf(frame, "%s$",machine_name);
465 if (sam_account_name == NULL) {
469 /* upper case the sAMAccountName to make it easier for apps to
470 know what case to use in the keytab file */
471 if (!strupper_m(sam_account_name)) {
476 ret = ads_keytab_add_entry(ads, sam_account_name);
478 DEBUG(1, (__location__ ": ads_keytab_add_entry() failed "
479 "while adding sAMAccountName (%s)\n",
484 /* remember that not every machine account will have a upn */
485 upn = ads_get_upn(ads, frame, machine_name);
487 ret = ads_keytab_add_entry(ads, upn);
489 DEBUG(1, (__location__ ": ads_keytab_add_entry() "
490 "failed while adding UPN (%s)\n", upn));
495 /* Now loop through the keytab and update any other existing entries */
496 kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
497 if (kvno == (krb5_kvno)-1) {
498 DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
499 "determine the system's kvno.\n"));
503 DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
506 ret = ads_keytab_open(context, &keytab);
511 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
512 if (ret != KRB5_KT_END && ret != ENOENT ) {
513 while ((ret = krb5_kt_next_entry(context, keytab,
514 &kt_entry, &cursor)) == 0) {
515 smb_krb5_kt_free_entry(context, &kt_entry);
516 ZERO_STRUCT(kt_entry);
520 krb5_kt_end_seq_get(context, keytab, &cursor);
524 * Hmmm. There is no "rewind" function for the keytab. This means we
525 * have a race condition where someone else could add entries after
526 * we've counted them. Re-open asap to minimise the race. JRA.
528 DEBUG(3, (__location__ ": Found %zd entries in the keytab.\n", found));
533 oldEntries = talloc_zero_array(frame, char *, found + 1);
535 DEBUG(1, (__location__ ": Failed to allocate space to store "
536 "the old keytab entries (talloc failed?).\n"));
541 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
542 if (ret == KRB5_KT_END || ret == ENOENT) {
543 krb5_kt_end_seq_get(context, keytab, &cursor);
548 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
549 if (kt_entry.vno != kvno) {
550 char *ktprinc = NULL;
553 /* This returns a malloc'ed string in ktprinc. */
554 ret = smb_krb5_unparse_name(oldEntries, context,
558 DEBUG(1, (__location__
559 ": smb_krb5_unparse_name failed "
560 "(%s)\n", error_message(ret)));
564 * From looking at the krb5 source they don't seem to
565 * take locale or mb strings into account.
566 * Maybe this is because they assume utf8 ?
567 * In this case we may need to convert from utf8 to
568 * mb charset here ? JRA.
570 p = strchr_m(ktprinc, '@');
575 p = strchr_m(ktprinc, '/');
579 for (i = 0; i < found; i++) {
580 if (!oldEntries[i]) {
581 oldEntries[i] = ktprinc;
584 if (!strcmp(oldEntries[i], ktprinc)) {
585 TALLOC_FREE(ktprinc);
590 TALLOC_FREE(ktprinc);
593 smb_krb5_kt_free_entry(context, &kt_entry);
594 ZERO_STRUCT(kt_entry);
596 krb5_kt_end_seq_get(context, keytab, &cursor);
600 for (i = 0; oldEntries[i]; i++) {
601 ret |= ads_keytab_add_entry(ads, oldEntries[i]);
602 TALLOC_FREE(oldEntries[i]);
606 TALLOC_FREE(oldEntries);
610 if (!all_zero((uint8_t *)&kt_entry, sizeof(kt_entry))) {
611 smb_krb5_kt_free_entry(context, &kt_entry);
613 if (!all_zero((uint8_t *)&cursor, sizeof(cursor)) && keytab) {
614 krb5_kt_end_seq_get(context, keytab, &cursor);
617 krb5_kt_close(context, keytab);
619 krb5_free_context(context);
624 #endif /* HAVE_ADS */
626 /**********************************************************************
628 ***********************************************************************/
630 int ads_keytab_list(const char *keytab_name)
632 krb5_error_code ret = 0;
633 krb5_context context = NULL;
634 krb5_keytab keytab = NULL;
635 krb5_kt_cursor cursor;
636 krb5_keytab_entry kt_entry;
638 ZERO_STRUCT(kt_entry);
641 initialize_krb5_error_table();
642 ret = krb5_init_context(&context);
644 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
645 error_message(ret)));
649 if (keytab_name == NULL) {
651 ret = ads_keytab_open(context, &keytab);
656 ret = smb_krb5_kt_open(context, keytab_name, False, &keytab);
659 DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
660 error_message(ret)));
664 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
670 printf("Vno Type Principal\n");
672 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
674 char *princ_s = NULL;
675 char *etype_s = NULL;
676 krb5_enctype enctype = 0;
678 ret = smb_krb5_unparse_name(talloc_tos(), context,
679 kt_entry.principal, &princ_s);
684 enctype = smb_krb5_kt_get_enctype_from_entry(&kt_entry);
686 ret = smb_krb5_enctype_to_string(context, enctype, &etype_s);
688 (asprintf(&etype_s, "UNKNOWN: %d\n", enctype) == -1)) {
689 TALLOC_FREE(princ_s);
693 printf("%3d %-43s %s\n", kt_entry.vno, etype_s, princ_s);
695 TALLOC_FREE(princ_s);
698 ret = smb_krb5_kt_free_entry(context, &kt_entry);
704 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
709 /* Ensure we don't double free. */
710 ZERO_STRUCT(kt_entry);
714 if (!all_zero((uint8_t *)&kt_entry, sizeof(kt_entry))) {
715 smb_krb5_kt_free_entry(context, &kt_entry);
717 if (!all_zero((uint8_t *)&cursor, sizeof(cursor)) && keytab) {
718 krb5_kt_end_seq_get(context, keytab, &cursor);
722 krb5_kt_close(context, keytab);
725 krb5_free_context(context);
730 #endif /* HAVE_KRB5 */