s3:libads: 'net ads keytab create' shouldn't write SPN(s)

Modify default behaviour of 'net ads keytab create'

The change modifies the behaviour of 'net ads keytab create' such
that only the keytab file is modified. The current behaviour doesn't
make sense, existing SPN(s) pulled from the computer AD object have
the format 'serviceclass/host:port/servicename'.
'ads_keytab_create_default' calls ads_keytab_add_entry passing
'serviceclass' for each SPN retrieved from the AD. For each
serviceclass passed in a new pair of SPN(s) is generated as follows
    i) long form 'param/full_qualified_dns'
   ii) short form 'param/netbios_name'

This doesn't make sense as we are creating a new SPN(s) from an existing
one probably replacing the existing host with the 'client' machine.

If the keytab file exists then additionally each kerberos principal in the
keytab file is parsed to strip out the primary, then 'ads_keytab_add_entry'
is called which then tries by default to generate a SPN from any primary
that doesn't end in '$'. By default those SPNs are then added to the AD
computer account for the client running the command.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 2c8ac9adb56981eb7893fb655ec3781cc20ebcc6..85f195abcae362c182c29a3600aa63fc9feb6ed3 100644 (file)
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -545,7 +545,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
                p[0] = '\0';
 
                /* Add the SPNs found on the DC */
-               ret = ads_keytab_add_entry(ads, srv_princ, true);
+               ret = ads_keytab_add_entry(ads, srv_princ, false);
                if (ret != 0) {
                        DEBUG(1, ("ads_keytab_add_entry failed while "
                                  "adding '%s' principal.\n",
@@ -558,7 +558,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
           really needs them and we will fall back to verifying against
           secrets.tdb */
 
-       ret = ads_keytab_add_entry(ads, "cifs", true));
+       ret = ads_keytab_add_entry(ads, "cifs", false));
        if (ret != 0 ) {
                DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
                          "adding 'cifs'.\n"));
@@ -607,7 +607,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
                goto done;
        }
 
-       ret = ads_keytab_add_entry(ads, sam_account_name, true);
+       ret = ads_keytab_add_entry(ads, sam_account_name, false);
        if (ret != 0) {
                DEBUG(1, (__location__ ": ads_keytab_add_entry() failed "
                          "while adding sAMAccountName (%s)\n",
@@ -618,7 +618,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
        /* remember that not every machine account will have a upn */
        upn = ads_get_upn(ads, frame, machine_name);
        if (upn) {
-               ret = ads_keytab_add_entry(ads, upn, true);
+               ret = ads_keytab_add_entry(ads, upn, false);
                if (ret != 0) {
                        DEBUG(1, (__location__ ": ads_keytab_add_entry() "
                                  "failed while adding UPN (%s)\n", upn));
@@ -732,7 +732,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 
        ret = 0;
        for (i = 0; oldEntries[i]; i++) {
-               ret |= ads_keytab_add_entry(ads, oldEntries[i], true);
+               ret |= ads_keytab_add_entry(ads, oldEntries[i], false);
                TALLOC_FREE(oldEntries[i]);
        }
 

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 7ee00773d835625caa61fab23924d1115135cb65..c4c1a0d40512f19f52fcb3c8e3b3110559293ad1 100644 (file)
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2717,7 +2717,7 @@ int net_ads_keytab(struct net_context *c, int argc, const char **argv)
                        NET_TRANSPORT_ADS,
                        N_("Create a fresh keytab"),
                        N_("net ads keytab create\n"
-                          "    Create a fresh keytab")
+                          "    Create a fresh keytab or update exising one.")
                },
                {
                        "flush",