2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
12 Copyright (C) Gerald Carter 2006
14 This program is free software; you can redistribute it and/or modify
15 it under the terms of the GNU General Public License as published by
16 the Free Software Foundation; either version 3 of the License, or
17 (at your option) any later version.
19 This program is distributed in the hope that it will be useful,
20 but WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 GNU General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program. If not, see <http://www.gnu.org/licenses/>.
35 /**********************************************************************
36 **********************************************************************/
38 static krb5_error_code seek_and_delete_old_entries(krb5_context context,
44 bool keep_old_entries)
47 krb5_kt_cursor cursor;
48 krb5_kt_cursor zero_csr;
49 krb5_keytab_entry kt_entry;
50 krb5_keytab_entry zero_kt_entry;
54 ZERO_STRUCT(zero_csr);
55 ZERO_STRUCT(kt_entry);
56 ZERO_STRUCT(zero_kt_entry);
58 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
59 if (ret == KRB5_KT_END && ret == ENOENT ) {
64 DEBUG(3, (__location__ ": Will try to delete old keytab entries\n"));
65 while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
68 if (!flush && (princ_s != NULL)) {
69 ret = smb_krb5_unparse_name(talloc_tos(), context,
73 DEBUG(1, (__location__
74 ": smb_krb5_unparse_name failed "
75 "(%s)\n", error_message(ret)));
79 #ifdef HAVE_KRB5_KT_COMPARE
80 name_ok = krb5_kt_compare(context, &kt_entry,
83 name_ok = (strcmp(ktprinc, princ_s) == 0);
87 DEBUG(10, (__location__ ": ignoring keytab "
88 "entry principal %s, kvno = %d\n",
89 ktprinc, kt_entry.vno));
92 * just free this entry and continue. */
93 ret = smb_krb5_kt_free_entry(context,
95 ZERO_STRUCT(kt_entry);
97 DEBUG(1, (__location__
98 ": smb_krb5_kt_free_entry "
100 error_message(ret)));
104 TALLOC_FREE(ktprinc);
108 TALLOC_FREE(ktprinc);
111 /*------------------------------------------------------------
112 * Save the entries with kvno - 1. This is what microsoft does
113 * to allow people with existing sessions that have kvno - 1
114 * to still work. Otherwise, when the password for the machine
115 * changes, all kerberizied sessions will 'break' until either
116 * the client reboots or the client's session key expires and
117 * they get a new session ticket with the new kvno.
120 if (!flush && (kt_entry.vno == kvno - 1)) {
121 DEBUG(5, (__location__ ": Saving previous (kvno %d) "
122 "entry for principal: %s.\n",
127 if (keep_old_entries) {
128 DEBUG(5, (__location__ ": Saving old (kvno %d) "
129 "entry for principal: %s.\n",
134 DEBUG(5, (__location__ ": Found old entry for principal: %s "
135 "(kvno %d) - trying to remove it.\n",
136 princ_s, kt_entry.vno));
138 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
141 DEBUG(1, (__location__ ": krb5_kt_end_seq_get() "
142 "failed (%s)\n", error_message(ret)));
145 ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
147 DEBUG(1, (__location__ ": krb5_kt_remove_entry() "
148 "failed (%s)\n", error_message(ret)));
152 DEBUG(5, (__location__ ": removed old entry for principal: "
153 "%s (kvno %d).\n", princ_s, kt_entry.vno));
155 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
157 DEBUG(1, (__location__ ": krb5_kt_start_seq() failed "
158 "(%s)\n", error_message(ret)));
161 ret = smb_krb5_kt_free_entry(context, &kt_entry);
162 ZERO_STRUCT(kt_entry);
164 DEBUG(1, (__location__ ": krb5_kt_remove_entry() "
165 "failed (%s)\n", error_message(ret)));
171 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
172 smb_krb5_kt_free_entry(context, &kt_entry);
175 if (memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) {
176 krb5_kt_end_seq_get(context, keytab, &cursor);
183 int smb_krb5_kt_add_entry_ext(krb5_context context,
187 krb5_enctype *enctypes,
190 bool keep_old_entries)
193 krb5_keytab_entry kt_entry;
194 krb5_principal princ = NULL;
197 ZERO_STRUCT(kt_entry);
199 ret = smb_krb5_parse_name(context, princ_s, &princ);
201 DEBUG(1, (__location__ ": smb_krb5_parse_name(%s) "
202 "failed (%s)\n", princ_s, error_message(ret)));
206 /* Seek and delete old keytab entries */
207 ret = seek_and_delete_old_entries(context, keytab, kvno,
208 princ_s, princ, false,
214 /* If we get here, we have deleted all the old entries with kvno's
215 * not equal to the current kvno-1. */
217 /* Now add keytab entries for all encryption types */
218 for (i = 0; enctypes[i]; i++) {
221 keyp = KRB5_KT_KEY(&kt_entry);
223 if (create_kerberos_key_from_string(context, princ,
225 enctypes[i], no_salt)) {
229 kt_entry.principal = princ;
232 DEBUG(3, (__location__ ": adding keytab entry for (%s) with "
233 "encryption type (%d) and version (%d)\n",
234 princ_s, enctypes[i], kt_entry.vno));
235 ret = krb5_kt_add_entry(context, keytab, &kt_entry);
236 krb5_free_keyblock_contents(context, keyp);
237 ZERO_STRUCT(kt_entry);
239 DEBUG(1, (__location__ ": adding entry to keytab "
240 "failed (%s)\n", error_message(ret)));
247 krb5_free_principal(context, princ);
253 static int smb_krb5_kt_add_entry(krb5_context context,
257 krb5_enctype *enctypes,
260 return smb_krb5_kt_add_entry_ext(context,
270 /**********************************************************************
271 Adds a single service principal, i.e. 'host' to the system keytab
272 ***********************************************************************/
274 int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
276 krb5_error_code ret = 0;
277 krb5_context context = NULL;
278 krb5_keytab keytab = NULL;
281 krb5_enctype enctypes[4] = { ENCTYPE_DES_CBC_CRC,
283 ENCTYPE_ARCFOUR_HMAC,
285 char *princ_s = NULL, *short_princ_s = NULL;
286 char *password_s = NULL;
288 TALLOC_CTX *ctx = NULL;
291 initialize_krb5_error_table();
292 ret = krb5_init_context(&context);
294 DEBUG(1,("ads_keytab_add_entry: could not krb5_init_context: %s\n",error_message(ret)));
298 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
300 DEBUG(1,("ads_keytab_add_entry: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
304 /* retrieve the password */
305 if (!secrets_init()) {
306 DEBUG(1,("ads_keytab_add_entry: secrets_init failed\n"));
310 password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
312 DEBUG(1,("ads_keytab_add_entry: failed to fetch machine password\n"));
316 ZERO_STRUCT(password);
317 password.data = password_s;
318 password.length = strlen(password_s);
320 /* we need the dNSHostName value here */
322 if ( (ctx = talloc_init("ads_keytab_add_entry")) == NULL ) {
323 DEBUG(0,("ads_keytab_add_entry: talloc() failed!\n"));
328 if ( (my_fqdn = ads_get_dnshostname( ads, ctx, global_myname())) == NULL ) {
329 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's dns name in AD!\n"));
334 if ( (machine_name = ads_get_samaccountname( ads, ctx, global_myname())) == NULL ) {
335 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's short name in AD!\n"));
339 /*strip the trailing '$' */
340 machine_name[strlen(machine_name)-1] = '\0';
342 /* Construct our principal */
344 if (strchr_m(srvPrinc, '@')) {
345 /* It's a fully-named principal. */
346 if (asprintf(&princ_s, "%s", srvPrinc) == -1) {
350 } else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
351 /* It's the machine account, as used by smbclient clients. */
352 if (asprintf(&princ_s, "%s@%s", srvPrinc, lp_realm()) == -1) {
357 /* It's a normal service principal. Add the SPN now so that we
358 * can obtain credentials for it and double-check the salt value
359 * used to generate the service's keys. */
361 if (asprintf(&princ_s, "%s/%s@%s", srvPrinc, my_fqdn, lp_realm()) == -1) {
365 if (asprintf(&short_princ_s, "%s/%s@%s", srvPrinc, machine_name, lp_realm()) == -1) {
370 /* According to http://support.microsoft.com/kb/326985/en-us,
371 certain principal names are automatically mapped to the host/...
372 principal in the AD account. So only create these in the
373 keytab, not in AD. --jerry */
375 if ( !strequal( srvPrinc, "cifs" ) && !strequal(srvPrinc, "host" ) ) {
376 DEBUG(3,("ads_keytab_add_entry: Attempting to add/update '%s'\n", princ_s));
378 if (!ADS_ERR_OK(ads_add_service_principal_name(ads, global_myname(), my_fqdn, srvPrinc))) {
379 DEBUG(1,("ads_keytab_add_entry: ads_add_service_principal_name failed.\n"));
385 kvno = (krb5_kvno) ads_get_machine_kvno(ads, global_myname());
386 if (kvno == -1) { /* -1 indicates failure, everything else is OK */
387 DEBUG(1,("ads_keytab_add_entry: ads_get_machine_kvno failed to determine the system's kvno.\n"));
392 /* add the fqdn principal to the keytab */
394 ret = smb_krb5_kt_add_entry( context, keytab, kvno, princ_s, enctypes, password );
396 DEBUG(1,("ads_keytab_add_entry: Failed to add entry to keytab file\n"));
400 /* add the short principal name if we have one */
402 if ( short_princ_s ) {
403 ret = smb_krb5_kt_add_entry( context, keytab, kvno, short_princ_s, enctypes, password );
405 DEBUG(1,("ads_keytab_add_entry: Failed to add short entry to keytab file\n"));
411 SAFE_FREE( princ_s );
412 SAFE_FREE( short_princ_s );
416 krb5_kt_close(context, keytab);
419 krb5_free_context(context);
424 /**********************************************************************
425 Flushes all entries from the system keytab.
426 ***********************************************************************/
428 int ads_keytab_flush(ADS_STRUCT *ads)
430 krb5_error_code ret = 0;
431 krb5_context context = NULL;
432 krb5_keytab keytab = NULL;
436 initialize_krb5_error_table();
437 ret = krb5_init_context(&context);
439 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
440 error_message(ret)));
444 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
446 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
447 error_message(ret)));
451 kvno = (krb5_kvno)ads_get_machine_kvno(ads, global_myname());
453 /* -1 indicates a failure */
454 DEBUG(1, (__location__ ": Error determining the kvno.\n"));
458 /* Seek and delete old keytab entries */
459 ret = seek_and_delete_old_entries(context, keytab, kvno,
460 NULL, NULL, true, false);
465 aderr = ads_clear_service_principal_names(ads, global_myname());
466 if (!ADS_ERR_OK(aderr)) {
467 DEBUG(1, (__location__ ": Error while clearing service "
468 "principal listings in LDAP.\n"));
474 krb5_kt_close(context, keytab);
477 krb5_free_context(context);
482 /**********************************************************************
483 Adds all the required service principals to the system keytab.
484 ***********************************************************************/
486 int ads_keytab_create_default(ADS_STRUCT *ads)
488 krb5_error_code ret = 0;
489 krb5_context context = NULL;
490 krb5_keytab keytab = NULL;
491 krb5_kt_cursor cursor;
492 krb5_keytab_entry kt_entry;
495 char *sam_account_name, *upn;
496 char **oldEntries = NULL, *princ_s[26];
497 TALLOC_CTX *ctx = NULL;
498 fstring machine_name;
500 memset(princ_s, '\0', sizeof(princ_s));
502 fstrcpy( machine_name, global_myname() );
504 /* these are the main ones we need */
506 if ( (ret = ads_keytab_add_entry(ads, "host") ) != 0 ) {
507 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.\n"));
512 #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
513 really needs them and we will fall back to verifying against secrets.tdb */
515 if ( (ret = ads_keytab_add_entry(ads, "cifs")) != 0 ) {
516 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'cifs'.\n"));
521 if ( (ctx = talloc_init("ads_keytab_create_default")) == NULL ) {
522 DEBUG(0,("ads_keytab_create_default: talloc() failed!\n"));
526 /* now add the userPrincipalName and sAMAccountName entries */
528 if ( (sam_account_name = ads_get_samaccountname( ads, ctx, machine_name)) == NULL ) {
529 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's name in AD!\n"));
534 /* upper case the sAMAccountName to make it easier for apps to
535 know what case to use in the keytab file */
537 strupper_m( sam_account_name );
539 if ( (ret = ads_keytab_add_entry(ads, sam_account_name )) != 0 ) {
540 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding sAMAccountName (%s)\n",
545 /* remember that not every machine account will have a upn */
547 upn = ads_get_upn( ads, ctx, machine_name);
549 if ( (ret = ads_keytab_add_entry(ads, upn)) != 0 ) {
550 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding UPN (%s)\n",
557 /* Now loop through the keytab and update any other existing entries... */
559 kvno = (krb5_kvno) ads_get_machine_kvno(ads, machine_name);
561 DEBUG(1,("ads_keytab_create_default: ads_get_machine_kvno failed to determine the system's kvno.\n"));
566 DEBUG(3,("ads_keytab_create_default: Searching for keytab entries to "
567 "preserve and update.\n"));
569 ZERO_STRUCT(kt_entry);
572 initialize_krb5_error_table();
573 ret = krb5_init_context(&context);
575 DEBUG(1,("ads_keytab_create_default: could not krb5_init_context: %s\n",error_message(ret)));
580 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
582 DEBUG(1,("ads_keytab_create_default: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
586 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
587 if (ret != KRB5_KT_END && ret != ENOENT ) {
588 while ((ret = krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) == 0) {
589 smb_krb5_kt_free_entry(context, &kt_entry);
590 ZERO_STRUCT(kt_entry);
594 krb5_kt_end_seq_get(context, keytab, &cursor);
598 * Hmmm. There is no "rewind" function for the keytab. This means we have a race condition
599 * where someone else could add entries after we've counted them. Re-open asap to minimise
603 DEBUG(3, ("ads_keytab_create_default: Found %d entries in the keytab.\n", found));
607 oldEntries = talloc_array(ctx, char *, found );
609 DEBUG(1,("ads_keytab_create_default: Failed to allocate space to store the old keytab entries (malloc failed?).\n"));
613 memset(oldEntries, '\0', found * sizeof(char *));
615 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
616 if (ret != KRB5_KT_END && ret != ENOENT ) {
617 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
618 if (kt_entry.vno != kvno) {
619 char *ktprinc = NULL;
622 /* This returns a malloc'ed string in ktprinc. */
623 ret = smb_krb5_unparse_name(oldEntries, context, kt_entry.principal, &ktprinc);
625 DEBUG(1,("smb_krb5_unparse_name failed (%s)\n", error_message(ret)));
629 * From looking at the krb5 source they don't seem to take locale
630 * or mb strings into account. Maybe this is because they assume utf8 ?
631 * In this case we may need to convert from utf8 to mb charset here ? JRA.
633 p = strchr_m(ktprinc, '@');
638 p = strchr_m(ktprinc, '/');
642 for (i = 0; i < found; i++) {
643 if (!oldEntries[i]) {
644 oldEntries[i] = ktprinc;
647 if (!strcmp(oldEntries[i], ktprinc)) {
648 TALLOC_FREE(ktprinc);
653 TALLOC_FREE(ktprinc);
656 smb_krb5_kt_free_entry(context, &kt_entry);
657 ZERO_STRUCT(kt_entry);
660 for (i = 0; oldEntries[i]; i++) {
661 ret |= ads_keytab_add_entry(ads, oldEntries[i]);
662 TALLOC_FREE(oldEntries[i]);
664 krb5_kt_end_seq_get(context, keytab, &cursor);
670 TALLOC_FREE(oldEntries);
674 krb5_keytab_entry zero_kt_entry;
675 ZERO_STRUCT(zero_kt_entry);
676 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
677 smb_krb5_kt_free_entry(context, &kt_entry);
681 krb5_kt_cursor zero_csr;
682 ZERO_STRUCT(zero_csr);
683 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
684 krb5_kt_end_seq_get(context, keytab, &cursor);
688 krb5_kt_close(context, keytab);
691 krb5_free_context(context);
696 /**********************************************************************
698 ***********************************************************************/
700 int ads_keytab_list(const char *keytab_name)
702 krb5_error_code ret = 0;
703 krb5_context context = NULL;
704 krb5_keytab keytab = NULL;
705 krb5_kt_cursor cursor;
706 krb5_keytab_entry kt_entry;
708 ZERO_STRUCT(kt_entry);
711 initialize_krb5_error_table();
712 ret = krb5_init_context(&context);
714 DEBUG(1,("ads_keytab_list: could not krb5_init_context: %s\n",error_message(ret)));
718 ret = smb_krb5_open_keytab(context, keytab_name, False, &keytab);
720 DEBUG(1,("ads_keytab_list: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
724 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
729 printf("Vno Type Principal\n");
731 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
733 char *princ_s = NULL;
734 char *etype_s = NULL;
735 krb5_enctype enctype = 0;
737 ret = smb_krb5_unparse_name(talloc_tos(), context, kt_entry.principal, &princ_s);
742 enctype = smb_get_enctype_from_kt_entry(&kt_entry);
744 ret = smb_krb5_enctype_to_string(context, enctype, &etype_s);
746 if (asprintf(&etype_s, "UNKNOWN: %d\n", enctype) == -1)
748 TALLOC_FREE(princ_s);
753 printf("%3d %s\t\t %s\n", kt_entry.vno, etype_s, princ_s);
755 TALLOC_FREE(princ_s);
758 ret = smb_krb5_kt_free_entry(context, &kt_entry);
764 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
769 /* Ensure we don't double free. */
770 ZERO_STRUCT(kt_entry);
775 krb5_keytab_entry zero_kt_entry;
776 ZERO_STRUCT(zero_kt_entry);
777 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
778 smb_krb5_kt_free_entry(context, &kt_entry);
782 krb5_kt_cursor zero_csr;
783 ZERO_STRUCT(zero_csr);
784 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
785 krb5_kt_end_seq_get(context, keytab, &cursor);
790 krb5_kt_close(context, keytab);
793 krb5_free_context(context);
798 #endif /* HAVE_KRB5 */