s4-kerberos Move 'set key into keytab' code out of credentials.

author Andrew Bartlett <abartlet@samba.org>

Thu, 23 Sep 2010 07:01:44 +0000 (17:01 +1000)

committer Andrew Bartlett <abartlet@samba.org>

Thu, 23 Sep 2010 23:25:44 +0000 (09:25 +1000)
author Andrew Bartlett <abartlet@samba.org>
Thu, 23 Sep 2010 07:01:44 +0000 (17:01 +1000)
committer Andrew Bartlett <abartlet@samba.org>
Thu, 23 Sep 2010 23:25:44 +0000 (09:25 +1000)
diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h

index b7a9540d868712f417acaa76cf92b2ed39709b9d..b7023cd17b9b1ecfdcae964470a1ab2743ea5716 100644 (file)
--- a/source4/auth/credentials/credentials.h
+++ b/source4/auth/credentials/credentials.h
@@ -142,6 +142,7 @@ struct cli_credentials {
  };
  
  struct ldb_context;
+struct ldb_message;
  struct loadparm_context;
  struct ccache_container;
  
@@ -268,9 +269,6 @@ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
                                     struct loadparm_context *lp_ctx,
                                     const char *keytab_name, 
                                     enum credentials_obtained obtained);
-int cli_credentials_update_keytab(struct cli_credentials *cred, 
-                                 struct tevent_context *event_ctx,
-                                 struct loadparm_context *lp_ctx);
  void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features);
  uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
  int cli_credentials_set_ccache(struct cli_credentials *cred, 
diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c

index 8ad395ddc84eb5d97347af52157fcbbdc5c49ac7..e1990a87138c89b4d3a8a919b4584ee1237a3d4a 100644 (file)
--- a/source4/auth/credentials/credentials_files.c
+++ b/source4/auth/credentials/credentials_files.c
@@ -35,7 +35,6 @@
  #include "lib/events/events.h"
  #include "dsdb/samdb/samdb.h"
  
-
  /**
   * Read a file descriptor, and parse it for a password (eg from a file or stdin)
   *
@@ -193,7 +192,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
         const char *realm;
         enum netr_SchannelType sct;
         const char *salt_principal;
-       const char *keytab;
+       char *keytab;
         const struct ldb_val *whenChanged;
  
         /* ok, we are going to get it now, don't recurse back here */
@@ -310,17 +309,10 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
         /* If there was an external keytab specified by reference in
          * the LDB, then use this.  Otherwise we will make one up
          * (chewing CPU time) from the password */
-       keytab = ldb_msg_find_attr_as_string(msg, "krb5Keytab", NULL);
+       keytab = keytab_name_from_msg(cred, ldb, msg);
         if (keytab) {
                 cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx, keytab, CRED_SPECIFIED);
-       } else {
-               keytab = ldb_msg_find_attr_as_string(msg, "privateKeytab", NULL);
-               if (keytab) {
-                       keytab = talloc_asprintf(mem_ctx, "FILE:%s", samdb_relative_path(ldb, mem_ctx, keytab));
-                       if (keytab) {
-                               cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx, keytab, CRED_SPECIFIED);
-                       }
-               }
+               talloc_free(keytab);
         }
         talloc_free(mem_ctx);
         
diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c

index 4021146821f7a3f7144a3cafe2fb0dc02d667c26..6e11a5fb02b7d0e729e2a8e317b1f361ed2c7dbf 100644 (file)
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -595,7 +595,6 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
         krb5_error_code ret;
         struct keytab_container *ktc;
         struct smb_krb5_context *smb_krb5_context;
-       const char **enctype_strings;
         TALLOC_CTX *mem_ctx;
  
         if (cred->keytab_obtained >= (MAX(cred->principal_obtained, 
@@ -619,11 +618,8 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
                 return ENOMEM;
         }
  
-       enctype_strings = cli_credentials_get_enctype_strings(cred);
-       
         ret = smb_krb5_create_memory_keytab(mem_ctx, cred, 
-                                           smb_krb5_context, 
-                                           enctype_strings, &ktc);
+                                           smb_krb5_context, &ktc);
         if (ret) {
                 talloc_free(mem_ctx);
                 return ret;
@@ -682,41 +678,6 @@ _PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
         return ret;
  }
  
-_PUBLIC_ int cli_credentials_update_keytab(struct cli_credentials *cred, 
-                                          struct tevent_context *event_ctx,
-                                 struct loadparm_context *lp_ctx)
-{
-       krb5_error_code ret;
-       struct keytab_container *ktc;
-       struct smb_krb5_context *smb_krb5_context;
-       const char **enctype_strings;
-       TALLOC_CTX *mem_ctx;
-       
-       mem_ctx = talloc_new(cred);
-       if (!mem_ctx) {
-               return ENOMEM;
-       }
-
-       ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &smb_krb5_context);
-       if (ret) {
-               talloc_free(mem_ctx);
-               return ret;
-       }
-
-       enctype_strings = cli_credentials_get_enctype_strings(cred);
-       
-       ret = cli_credentials_get_keytab(cred, event_ctx, lp_ctx, &ktc);
-       if (ret != 0) {
-               talloc_free(mem_ctx);
-               return ret;
-       }
-
-       ret = smb_krb5_update_keytab(mem_ctx, cred, smb_krb5_context, enctype_strings, ktc);
-
-       talloc_free(mem_ctx);
-       return ret;
-}
-
  /* Get server gss credentials (in gsskrb5, this means the keytab) */
  
  _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, 
@@ -810,21 +771,6 @@ _PUBLIC_ int cli_credentials_get_kvno(struct cli_credentials *cred)
  }
  
  
-const char **cli_credentials_get_enctype_strings(struct cli_credentials *cred) 
-{
-       /* If this is ever made user-configurable, we need to add code
-        * to remove/hide the other entries from the generated
-        * keytab */
-       static const char *default_enctypes[] = {
-               "des-cbc-md5",
-               "aes256-cts-hmac-sha1-96",
-               "des3-cbc-sha1",
-               "arcfour-hmac-md5",
-               NULL
-       };
-       return default_enctypes;
-}
-
  const char *cli_credentials_get_salt_principal(struct cli_credentials *cred) 
  {
         return cred->salt_principal;
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h

index b58014f4930a6db309ebf4431f2f4725e3138393..091242dc82c3c963e029a099eb46ae8d8bad95bd 100644 (file)
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -142,9 +142,15 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
                                      time_t tgs_authtime,
                                      DATA_BLOB *pac);
  struct loadparm_context;
+struct ldb_message;
+struct ldb_context;
  uint32_t kerberos_enctype_to_bitmap(krb5_enctype enc_type_enum);
  /* Translate between the Microsoft msDS-SupportedEncryptionTypes values and the IETF encryption type values */
  krb5_enctype kerberos_enctype_bitmap_to_enctype(uint32_t enctype_bitmap);
+krb5_error_code smb_krb5_update_keytab(struct smb_krb5_context *smb_krb5_context,
+                                      struct ldb_context *ldb, 
+                                      struct ldb_message *msg,
+                                      bool delete_all_kvno);
  
  #include "auth/kerberos/proto.h"
  
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c

index d77a51916fae63f5fb95955654b8f1d6251018a4..dbe8c838650db4fed0b122ec782dc9e97fc88889 100644 (file)
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -27,6 +27,8 @@
  #include "auth/credentials/credentials_proto.h"
  #include "auth/credentials/credentials_krb5.h"
  #include "auth/kerberos/kerberos_credentials.h"
+#include "ldb.h"
+#include "param/secrets.h"
  
  struct principal_container {
         struct smb_krb5_context *smb_krb5_context;
@@ -77,51 +79,158 @@ static krb5_error_code parse_principal(TALLOC_CTX *parent_ctx,
         return 0;
  }
  
-static krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx, 
-                                                      struct cli_credentials *machine_account, 
-                                                      struct smb_krb5_context *smb_krb5_context,
-                                                      krb5_principal *salt_princ)
+static krb5_error_code principal_from_msg(TALLOC_CTX *parent_ctx, 
+                                         struct ldb_message *msg,
+                                         struct smb_krb5_context *smb_krb5_context,
+                                         krb5_principal *principal,
+                                         char **_princ_string,
+                                         const char **error_string)
  {
         krb5_error_code ret;
-       char *machine_username;
-       char *salt_body;
-       char *lower_realm;
-       const char *salt_principal;
-       const char *error_string;
+       char *upper_realm;
+       const char *servicePrincipalName = ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL);
+       const char *realm = ldb_msg_find_attr_as_string(msg, "realm", NULL);
+       const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
         struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container);
+       TALLOC_CTX *tmp_ctx;
+       char *princ_string;
         if (!mem_ctx) {
+               *error_string = "Cannot allocate mem_ctx";
                 return ENOMEM;
         }
  
-       salt_principal = cli_credentials_get_salt_principal(machine_account);
-       if (salt_principal) {
-               ret = parse_principal(parent_ctx, salt_principal, smb_krb5_context, salt_princ, &error_string);
+       tmp_ctx = talloc_new(mem_ctx);
+       if (!tmp_ctx) {
+               talloc_free(mem_ctx);
+               *error_string = "Cannot allocate tmp_ctx";
+               return ENOMEM;
+       }
+
+       if (!realm) {
+               *error_string = "Cannot have a kerberos secret in secrets.ldb without a realm";
+               return EINVAL;
+       }
+
+       upper_realm = strupper_talloc(tmp_ctx, realm);
+       if (!upper_realm) {
+               talloc_free(mem_ctx);
+               *error_string = "Cannot allocate full upper case realm";
+               return ENOMEM;
+       }
+               
+       if (samAccountName) {
+               princ_string = talloc_asprintf(parent_ctx, "%s@%s", samAccountName, upper_realm);
+               if (!princ_string) {
+                       *error_string = "Cannot allocate full samAccountName";
+                       return ENOMEM;
+               }
+               
+               ret = krb5_make_principal(smb_krb5_context->krb5_context, principal, upper_realm, samAccountName, 
+                                         NULL);
+       } else if (servicePrincipalName) {
+               princ_string = talloc_asprintf(parent_ctx, "%s@%s", servicePrincipalName, upper_realm);
+               if (!princ_string) {
+                       *error_string = "Cannot allocate full servicePrincipalName";
+                       return ENOMEM;
+               }
+               
+               ret = krb5_parse_name(smb_krb5_context->krb5_context, princ_string, principal);
+       } else {
+               *error_string = "Cannot have a kerberos secret without a samAccountName or servicePrinipcalName!";
+               return EINVAL;
+       }
+
+       if (ret == 0) {
+               /* This song-and-dance effectivly puts the principal
+                * into talloc, so we can't loose it. */
+               mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
+               mem_ctx->principal = *principal;
+               talloc_set_destructor(mem_ctx, free_principal);
+               if (_princ_string) {
+                       *_princ_string = princ_string;
+               }
         } else {
-               machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account));
+               (*error_string) = smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, parent_ctx);
+       }
+
+       talloc_free(tmp_ctx);
+       return ret;
+}
+
+static krb5_error_code salt_principal_from_msg(TALLOC_CTX *parent_ctx, 
+                                              struct ldb_message *msg, 
+                                              struct smb_krb5_context *smb_krb5_context,
+                                              krb5_principal *salt_princ,
+                                              const char **error_string)
+{
+       const char *salt_principal = ldb_msg_find_attr_as_string(msg, "saltPrincipal", NULL);
+       const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
+       const char *realm = ldb_msg_find_attr_as_string(msg, "realm", NULL);
+       if (salt_principal) {
+               return parse_principal(parent_ctx, salt_principal, smb_krb5_context, salt_princ, error_string);
+       } else if (samAccountName) {
+               krb5_error_code ret;
+               char *machine_username;
+               char *salt_body;
+               char *lower_realm;
+               char *upper_realm;
+
+               TALLOC_CTX *tmp_ctx;
+               struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container);
+               if (!mem_ctx) {
+                       *error_string = "Cannot allocate mem_ctx";
+                       return ENOMEM;
+               }
+
+               tmp_ctx = talloc_new(mem_ctx);
+               if (!tmp_ctx) {
+                       talloc_free(mem_ctx);
+                       *error_string = "Cannot allocate tmp_ctx";
+                       return ENOMEM;
+               }
+
+               if (!realm) {
+                       *error_string = "Cannot have a kerberos secret in secrets.ldb without a realm";
+                       return EINVAL;
+               }
                 
+               machine_username = talloc_strdup(tmp_ctx, samAccountName);
                 if (!machine_username) {
                         talloc_free(mem_ctx);
+                       *error_string = "Cannot duplicate samAccountName";
                         return ENOMEM;
                 }
                 
                 if (machine_username[strlen(machine_username)-1] == '$') {
                         machine_username[strlen(machine_username)-1] = '\0';
                 }
-               lower_realm = strlower_talloc(mem_ctx, cli_credentials_get_realm(machine_account));
+
+               lower_realm = strlower_talloc(tmp_ctx, realm);
                 if (!lower_realm) {
                         talloc_free(mem_ctx);
+                       *error_string = "Cannot allocate to lower case realm";
+                       return ENOMEM;
+               }
+               
+               upper_realm = strupper_talloc(tmp_ctx, realm);
+               if (!upper_realm) {
+                       talloc_free(mem_ctx);
+                       *error_string = "Cannot allocate to upper case realm";
                         return ENOMEM;
                 }
                 
-               salt_body = talloc_asprintf(mem_ctx, "%s.%s", machine_username, 
+               salt_body = talloc_asprintf(tmp_ctx, "%s.%s", machine_username, 
                                             lower_realm);
+               talloc_free(lower_realm);
+               talloc_free(machine_username);
                 if (!salt_body) {
                         talloc_free(mem_ctx);
-               return ENOMEM;
+                       *error_string = "Cannot form salt principal body";
+                       return ENOMEM;
                 }
                 
                 ret = krb5_make_principal(smb_krb5_context->krb5_context, salt_princ, 
-                                         cli_credentials_get_realm(machine_account), 
+                                         upper_realm,
                                           "host", salt_body, NULL);
                 if (ret == 0) {
                         /* This song-and-dance effectivly puts the principal
@@ -129,10 +238,15 @@ static krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
                         mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
                         mem_ctx->principal = *salt_princ;
                         talloc_set_destructor(mem_ctx, free_principal);
+               } else {
+                       (*error_string) = smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, parent_ctx);
+                       talloc_free(tmp_ctx);
                 }
+               return ret;
+       } else {
+               /* Catch the servicePrincipalName case */
+               return principal_from_msg(parent_ctx, msg, smb_krb5_context, salt_princ, NULL, error_string);
         } 
-
-       return ret;
  }
  
  /* Obtain the principal set on this context.  Requires a
@@ -140,7 +254,7 @@ static krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
   * the library routines.  The returned princ is placed in the talloc
   * system by means of a destructor (do *not* free). */
  
- krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx, 
+krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx, 
                                             struct cli_credentials *credentials, 
                                             struct smb_krb5_context *smb_krb5_context,
                                             krb5_principal *princ,
@@ -371,7 +485,7 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
                                        int kvno,
                                        const char *password_s,
                                        struct smb_krb5_context *smb_krb5_context,
-                                      const char **enctype_strings,
+                                      krb5_enctype *enctypes,
                                        krb5_keytab keytab)
  {
         int i;
@@ -385,20 +499,10 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
         password.data = discard_const_p(char *, password_s);
         password.length = strlen(password_s);
  
-       for (i=0; enctype_strings[i]; i++) {
+       for (i=0; enctypes[i]; i++) {
                 krb5_keytab_entry entry;
-               krb5_enctype enctype;
-               ret = krb5_string_to_enctype(smb_krb5_context->krb5_context, enctype_strings[i], &enctype);
-               if (ret != 0) {
-                       DEBUG(1, ("Failed to interpret %s as a krb5 encryption type: %s\n",                               
-                                 enctype_strings[i],
-                                 smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
-                                                            ret, mem_ctx)));
-                       talloc_free(mem_ctx);
-                       return ret;
-               }
                 ret = create_kerberos_key_from_string(smb_krb5_context->krb5_context, 
-                                                     salt_princ, &password, &entry.keyblock, enctype);
+                                                     salt_princ, &password, &entry.keyblock, enctypes[i]);
                 if (ret != 0) {
                         talloc_free(mem_ctx);
                         return ret;
@@ -408,8 +512,8 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
                  entry.vno       = kvno;
                 ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab, &entry);
                 if (ret != 0) {
-                       DEBUG(1, ("Failed to add %s entry for %s(kvno %d) to keytab: %s\n",
-                                 enctype_strings[i],
+                       DEBUG(1, ("Failed to add enctype %d entry for %s(kvno %d) to keytab: %s\n",
+                                 (int)enctypes[i],
                                   princ_string,
                                   kvno,
                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
@@ -419,9 +523,9 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
                         return ret;
                 }
  
-               DEBUG(5, ("Added %s(kvno %d) to keytab (%s)\n", 
+               DEBUG(5, ("Added %s(kvno %d) to keytab (enctype %d)\n", 
                           princ_string, kvno,
-                         enctype_strings[i]));
+                         (int)enctypes[i]));
                 
                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
         }
@@ -430,110 +534,65 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
  }
  
  static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx,
-                        struct cli_credentials *machine_account,
-                        struct smb_krb5_context *smb_krb5_context,
-                        const char **enctype_strings,
-                        krb5_keytab keytab,
-                        bool add_old) 
+                                    struct ldb_message *msg,
+                                    struct smb_krb5_context *smb_krb5_context,
+                                    krb5_keytab keytab,
+                                    bool add_old) 
  {
         krb5_error_code ret;
         const char *password_s;
         const char *old_secret;
         int kvno;
+       uint32_t enctype_bitmap;
         krb5_principal salt_princ;
         krb5_principal princ;
-       const char *princ_string;
+       char *princ_string;
+       krb5_enctype *enctypes;
         const char *error_string;
-       enum credentials_obtained obtained;
  
         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
         if (!mem_ctx) {
                 return ENOMEM;
         }
  
-       princ_string = cli_credentials_get_principal(machine_account, mem_ctx);
         /* Get the principal we will store the new keytab entries under */
-       ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context, &princ, &obtained, &error_string);
+       ret = principal_from_msg(mem_ctx, msg, smb_krb5_context, &princ, &princ_string, &error_string);
         if (ret) {
-               DEBUG(1,("create_keytab: makeing krb5 principal failed (%s)\n", error_string));
+               DEBUG(1,("create_keytab: getting krb5 principal from ldb message failed: %s\n", error_string));
                 talloc_free(mem_ctx);
                 return ret;
         }
  
         /* The salt used to generate these entries may be different however, fetch that */
-       ret = salt_principal_from_credentials(mem_ctx, machine_account, 
-                                             smb_krb5_context, 
-                                             &salt_princ);
+       ret = salt_principal_from_msg(mem_ctx, msg,
+                                     smb_krb5_context, 
+                                     &salt_princ, &error_string);
         if (ret) {
                 DEBUG(1,("create_keytab: makeing salt principal failed (%s)\n",
-                        smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
-                                                   ret, mem_ctx)));
+                        error_string));
                 talloc_free(mem_ctx);
                 return ret;
         }
  
         /* Finally, do the dance to get the password to put in the entry */
-       password_s = cli_credentials_get_password(machine_account);
-       if (!password_s) {
-               krb5_keytab_entry entry;
-               const struct samr_Password *mach_pwd;
-
-               if (!str_list_check(enctype_strings, "arcfour-hmac-md5")) {
-                       DEBUG(1, ("Asked to create keytab, but with only an NT hash supplied, "
-                                 "but not listing arcfour-hmac-md5 as an enc type to include in the keytab!\n"));
-                       talloc_free(mem_ctx);
-                       return EINVAL;
-               }
-
-               /* If we don't have the plaintext password, try for
-                * the MD4 password hash */
-               mach_pwd = cli_credentials_get_nt_hash(machine_account, mem_ctx);
-               if (!mach_pwd) {
-                       /* OK, nothing to do here */
-                       talloc_free(mem_ctx);
-                       return 0;
-               }
-               ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
-                                        ETYPE_ARCFOUR_HMAC_MD5,
-                                        mach_pwd->hash, sizeof(mach_pwd->hash), 
-                                        &entry.keyblock);
-               if (ret) {
-                       DEBUG(1, ("create_keytab: krb5_keyblock_init failed: %s\n",
-                                 smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
-                                                            ret, mem_ctx)));
-                       talloc_free(mem_ctx);
-                       return ret;
-               }
+       password_s =  ldb_msg_find_attr_as_string(msg, "secret", NULL);
+       kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
  
-               entry.principal = princ;
-               entry.vno       = cli_credentials_get_kvno(machine_account);
-               ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab, &entry);
-               if (ret) {
-                       DEBUG(1, ("Failed to add ARCFOUR_HMAC (only) entry for %s to keytab: %s",
-                                 cli_credentials_get_principal(machine_account, mem_ctx), 
-                                 smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
-                                                            ret, mem_ctx)));
-                       talloc_free(mem_ctx);
-                       krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
-                       return ret;
-               }
-               
-               DEBUG(5, ("Added %s(kvno %d) to keytab (arcfour-hmac-md5)\n", 
-                         cli_credentials_get_principal(machine_account, mem_ctx),
-                         cli_credentials_get_kvno(machine_account)));
-
-               krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
-
-               /* Can't go any further, we only have this one key */
+       enctype_bitmap = (uint32_t)ldb_msg_find_attr_as_int(msg, "msDS-SupportedEncryptionTypes", ENC_ALL_TYPES);
+       
+       ret = kerberos_enctype_bitmap_to_enctypes(mem_ctx, enctype_bitmap, &enctypes);
+       if (ret) {
+               DEBUG(1,("create_keytab: generating list of encryption types failed (%s)\n",
+                        smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
+                                                   ret, mem_ctx)));
                 talloc_free(mem_ctx);
-               return 0;
+               return ret;
         }
-       
-       kvno = cli_credentials_get_kvno(machine_account);
+
         /* good, we actually have the real plaintext */
         ret = keytab_add_keys(mem_ctx, princ_string, princ, salt_princ, 
                               kvno, password_s, smb_krb5_context, 
-                             enctype_strings, keytab);
+                             enctypes, keytab);
         if (!ret) {
                 talloc_free(mem_ctx);
                 return ret;
@@ -544,15 +603,15 @@ static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx,
                 return 0;
         }
  
-       old_secret = cli_credentials_get_old_password(machine_account);
+       old_secret = ldb_msg_find_attr_as_string(msg, "priorSecret", NULL);
         if (!old_secret) {
                 talloc_free(mem_ctx);
                 return 0;
         }
-       
+
         ret = keytab_add_keys(mem_ctx, princ_string, princ, salt_princ, 
                               kvno - 1, old_secret, smb_krb5_context, 
-                             enctype_strings, keytab);
+                             enctypes, keytab);
         if (!ret) {
                 talloc_free(mem_ctx);
                 return ret;
@@ -562,7 +621,6 @@ static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx,
         return 0;
  }
  
-
  /*
   * Walk the keytab, looking for entries of this principal name, with KVNO other than current kvno -1.
   *
@@ -573,7 +631,8 @@ static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx,
   */
  
  static krb5_error_code remove_old_entries(TALLOC_CTX *parent_ctx,
-                                         struct cli_credentials *machine_account,
+                                         struct ldb_message *msg,
+                                         bool delete_all_kvno,
                                           struct smb_krb5_context *smb_krb5_context,
                                           krb5_keytab keytab, bool *found_previous)
  {
@@ -582,26 +641,23 @@ static krb5_error_code remove_old_entries(TALLOC_CTX *parent_ctx,
         krb5_principal princ;
         int kvno;
         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
-       const char *princ_string;
+       char *princ_string;
         const char *error_string;
-       enum credentials_obtained obtained;
  
         if (!mem_ctx) {
                 return ENOMEM;
         }
  
         *found_previous = false;
-       princ_string = cli_credentials_get_principal(machine_account, mem_ctx);
-
         /* Get the principal we will store the new keytab entries under */
-       ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context, &princ, &obtained, &error_string);
+       ret = principal_from_msg(mem_ctx, msg, smb_krb5_context, &princ, &princ_string, &error_string);
         if (ret) {
-               DEBUG(1,("update_keytab: makeing krb5 principal failed (%s)\n", error_string));
+               DEBUG(1,("remove_old_entries: getting krb5 principal from ldb message failed: %s\n", error_string));
                 talloc_free(mem_ctx);
                 return ret;
         }
  
-       kvno = cli_credentials_get_kvno(machine_account);
+       kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
  
         /* for each entry in the keytab */
         ret = krb5_kt_start_seq_get(smb_krb5_context->krb5_context, keytab, &cursor);
@@ -694,34 +750,51 @@ static krb5_error_code remove_old_entries(TALLOC_CTX *parent_ctx,
         return ret;
  }
  
-krb5_error_code smb_krb5_update_keytab(TALLOC_CTX *parent_ctx,
-                          struct cli_credentials *machine_account,
-                          struct smb_krb5_context *smb_krb5_context,
-                          const char **enctype_strings,
-                          struct keytab_container *keytab_container) 
+krb5_error_code smb_krb5_update_keytab(struct smb_krb5_context *smb_krb5_context,
+                                      struct ldb_context *ldb, 
+                                      struct ldb_message *msg,
+                                      bool delete_all_kvno) 
  {
         krb5_error_code ret;
         bool found_previous;
-       TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
+       TALLOC_CTX *mem_ctx = talloc_new(NULL);
+       struct keytab_container *keytab_container;
+       const char *keytab_name;
+
         if (!mem_ctx) {
                 return ENOMEM;
         }
  
-       ret = remove_old_entries(mem_ctx, machine_account, 
+       keytab_name = keytab_name_from_msg(mem_ctx, ldb, msg);
+       if (!keytab_name) {
+               return ENOENT;
+       }
+
+       ret = smb_krb5_open_keytab(mem_ctx, smb_krb5_context, keytab_name, &keytab_container);
+
+       if (ret != 0) {
+               talloc_free(mem_ctx);
+               return ret;
+       }
+
+       DEBUG(5, ("Opened keytab %s\n", keytab_name));
+
+       ret = remove_old_entries(mem_ctx, msg, delete_all_kvno,
                                  smb_krb5_context, keytab_container->keytab, &found_previous);
         if (ret != 0) {
                 talloc_free(mem_ctx);
                 return ret;
         }
         
-       /* Create a new keytab.  If during the cleanout we found
-        * entires for kvno -1, then don't try and duplicate them.
-        * Otherwise, add kvno, and kvno -1 */
-       
-       ret = create_keytab(mem_ctx, machine_account, smb_krb5_context, 
-                           enctype_strings, 
-                           keytab_container->keytab, 
-                           found_previous ? false : true);
+       if (!delete_all_kvno) {
+               /* Create a new keytab.  If during the cleanout we found
+                * entires for kvno -1, then don't try and duplicate them.
+                * Otherwise, add kvno, and kvno -1 */
+               
+               ret = create_keytab(mem_ctx, msg, smb_krb5_context, 
+                                   keytab_container->keytab, 
+                                   found_previous ? false : true);
+       }
         talloc_free(mem_ctx);
         return ret;
  }
@@ -729,13 +802,13 @@ krb5_error_code smb_krb5_update_keytab(TALLOC_CTX *parent_ctx,
  krb5_error_code smb_krb5_create_memory_keytab(TALLOC_CTX *parent_ctx,
                                            struct cli_credentials *machine_account,
                                            struct smb_krb5_context *smb_krb5_context,
-                                          const char **enctype_strings,
                                            struct keytab_container **keytab_container) 
  {
         krb5_error_code ret;
         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
         const char *rand_string;
         const char *keytab_name;
+       struct ldb_message *msg;
         if (!mem_ctx) {
                 return ENOMEM;
         }
@@ -760,7 +833,18 @@ krb5_error_code smb_krb5_create_memory_keytab(TALLOC_CTX *parent_ctx,
                 return ret;
         }
  
-       ret = smb_krb5_update_keytab(mem_ctx, machine_account, smb_krb5_context, enctype_strings, *keytab_container);
+       msg = ldb_msg_new(mem_ctx);
+       if (!msg) {
+               talloc_free(mem_ctx);
+               return ENOMEM;
+       }
+       ldb_msg_add_string(msg, "krb5Keytab", keytab_name);
+       ldb_msg_add_string(msg, "secret", cli_credentials_get_password(machine_account));
+       ldb_msg_add_string(msg, "samAccountName", cli_credentials_get_username(machine_account));
+       ldb_msg_add_string(msg, "realm", cli_credentials_get_realm(machine_account));
+       ldb_msg_add_fmt(msg, "msDS-KeyVersionNumber", "%d", (int)cli_credentials_get_kvno(machine_account));
+
+       ret = smb_krb5_update_keytab(smb_krb5_context, NULL, msg, false);
         if (ret == 0) {
                 talloc_steal(parent_ctx, *keytab_container);
         } else {
@@ -769,7 +853,6 @@ krb5_error_code smb_krb5_create_memory_keytab(TALLOC_CTX *parent_ctx,
         talloc_free(mem_ctx);
         return ret;
  }
-
  /* Translate between the IETF encryption type values and the Microsoft msDS-SupportedEncryptionTypes values */
  uint32_t kerberos_enctype_to_bitmap(krb5_enctype enc_type_enum)
  {
@@ -812,7 +895,7 @@ krb5_enctype kerberos_enctype_bitmap_to_enctype(uint32_t enctype_bitmap)
  krb5_error_code kerberos_enctype_bitmap_to_enctypes(TALLOC_CTX *mem_ctx, uint32_t enctype_bitmap, krb5_enctype **enctypes)
  {
         unsigned int i, j = 0;
-       *enctypes = talloc_zero_array(mem_ctx, krb5_enctype, 8*sizeof(enctype_bitmap));
+       *enctypes = talloc_zero_array(mem_ctx, krb5_enctype, (8*sizeof(enctype_bitmap))+1);
         if (!*enctypes) {
                 return ENOMEM;
         }
@@ -821,10 +904,11 @@ krb5_error_code kerberos_enctype_bitmap_to_enctypes(TALLOC_CTX *mem_ctx, uint32_
                 if (bit_value & enctype_bitmap) {
                         (*enctypes)[j] = kerberos_enctype_bitmap_to_enctype(bit_value);
                         if (!(*enctypes)[j]) {
-                               return KRB5_PROG_ETYPE_NOSUPP;
+                               continue;
                         }
                         j++;
                 }
         }
+       (*enctypes)[j] = 0;
         return 0;
  }
diff --git a/source4/dsdb/samdb/ldb_modules/update_keytab.c b/source4/dsdb/samdb/ldb_modules/update_keytab.c

index 071974f5e40af983e67c0166e52d52083ac33ef0..86ced73b5d44388e42b3dfd5ad55307d3a7af402 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/update_keytab.c
+++ b/source4/dsdb/samdb/ldb_modules/update_keytab.c
@@ -33,9 +33,11 @@
  #include "auth/credentials/credentials.h"
  #include "auth/credentials/credentials_krb5.h"
  #include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
  
  struct dn_list {
-       struct cli_credentials *creds;
+       struct ldb_message *msg;
+       bool do_delete;
         struct dn_list *prev, *next;
  };
  
@@ -81,11 +83,8 @@ static int add_modified(struct ldb_module *module, struct ldb_dn *dn, bool do_de
         struct update_kt_private *data = talloc_get_type(ldb_module_get_private(module), struct update_kt_private);
         struct dn_list *item;
         char *filter;
-       char *errstring;
         struct ldb_result *res;
-       const char *attrs[] = { NULL };
         int ret;
-       NTSTATUS status;
  
         filter = talloc_asprintf(data, "(&(dn=%s)(&(objectClass=kerberosSecret)(privateKeytab=*)))",
                                  ldb_dn_get_linearized(dn));
@@ -94,9 +93,9 @@ static int add_modified(struct ldb_module *module, struct ldb_dn *dn, bool do_de
         }
  
         ret = ldb_search(ldb, data, &res,
-                        dn, LDB_SCOPE_BASE, attrs, "%s", filter);
+                        dn, LDB_SCOPE_BASE, NULL, "%s", filter);
+       talloc_free(filter);
         if (ret != LDB_SUCCESS) {
-               talloc_free(filter);
                 return ret;
         }
  
@@ -106,34 +105,19 @@ static int add_modified(struct ldb_module *module, struct ldb_dn *dn, bool do_de
                 talloc_free(filter);
                 return LDB_SUCCESS;
         }
-       talloc_free(res);
  
         item = talloc(data->changed_dns? (void *)data->changed_dns: (void *)data, struct dn_list);
         if (!item) {
+               talloc_free(res);
                 talloc_free(filter);
                 return ldb_oom(ldb);
         }
  
-       item->creds = cli_credentials_init(item);
-       if (!item->creds) {
-               DEBUG(1, ("cli_credentials_init failed!"));
-               talloc_free(filter);
-               return ldb_oom(ldb);
-       }
+       item->msg = talloc_steal(item, res->msgs[0]);
+       item->do_delete = do_delete;
+       talloc_free(res);
  
-       cli_credentials_set_conf(item->creds, ldb_get_opaque(ldb, "loadparm"));
-       status = cli_credentials_set_secrets(item->creds, ldb_get_event_context(ldb), ldb_get_opaque(ldb, "loadparm"), ldb, NULL, filter, &errstring);
-       talloc_free(filter);
-       if (NT_STATUS_IS_OK(status)) {
-               if (do_delete) {
-                       /* Ensure we don't helpfully keep an old keytab entry */
-                       cli_credentials_set_kvno(item->creds, cli_credentials_get_kvno(item->creds)+2); 
-                       /* Wipe passwords */
-                       cli_credentials_set_nt_hash(item->creds, NULL, 
-                                                   CRED_SPECIFIED);
-               }
-               DLIST_ADD_END(data->changed_dns, item, struct dn_list *);
-       }
+       DLIST_ADD_END(data->changed_dns, item, struct dn_list *);
         return LDB_SUCCESS;
  }
  
@@ -379,19 +363,27 @@ static int update_kt_rename(struct ldb_module *module, struct ldb_request *req)
  /* prepare for a commit */
  static int update_kt_prepare_commit(struct ldb_module *module)
  {
-       struct ldb_context *ldb;
+       struct ldb_context *ldb = ldb_module_get_ctx(module);
         struct update_kt_private *data = talloc_get_type(ldb_module_get_private(module), struct update_kt_private);
         struct dn_list *p;
+       struct smb_krb5_context *smb_krb5_context;
+       int krb5_ret = smb_krb5_init_context(data, ldb_get_event_context(ldb), ldb_get_opaque(ldb, "loadparm"),
+                                            &smb_krb5_context);
+       if (krb5_ret != 0) {
+               talloc_free(data->changed_dns);
+               data->changed_dns = NULL;
+               ldb_asprintf_errstring(ldb, "Failed to setup krb5_context: %s", error_message(krb5_ret));
+               return LDB_ERR_OPERATIONS_ERROR;
+       }
  
         ldb = ldb_module_get_ctx(module);
  
         for (p=data->changed_dns; p; p = p->next) {
-               int kret;
-               kret = cli_credentials_update_keytab(p->creds, ldb_get_event_context(ldb), ldb_get_opaque(ldb, "loadparm"));
-               if (kret != 0) {
+               krb5_ret = smb_krb5_update_keytab(smb_krb5_context, ldb, p->msg, p->do_delete);
+               if (krb5_ret != 0) {
                         talloc_free(data->changed_dns);
                         data->changed_dns = NULL;
-                       ldb_asprintf_errstring(ldb, "Failed to update keytab: %s", error_message(kret));
+                       ldb_asprintf_errstring(ldb, "Failed to update keytab: %s", error_message(krb5_ret));
                         return LDB_ERR_OPERATIONS_ERROR;
                 }
         }
diff --git a/source4/param/secrets.c b/source4/param/secrets.c

index f6ab5e93fbcf02968d78eea78409d9b03be928bc..5e9b0a977f7ae7f1c200221155007e841235e075 100644 (file)
--- a/source4/param/secrets.c
+++ b/source4/param/secrets.c
@@ -167,3 +167,28 @@ struct dom_sid *secrets_get_domain_sid(TALLOC_CTX *mem_ctx,
  
         return result;
  }
+
+char *keytab_name_from_msg(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct ldb_message *msg) 
+{
+       const char *krb5keytab = ldb_msg_find_attr_as_string(msg, "krb5Keytab", NULL);
+       if (krb5keytab) {
+               return talloc_strdup(mem_ctx, krb5keytab);
+       } else {
+               char *file_keytab;
+               char *relative_path;
+               const char *privateKeytab = ldb_msg_find_attr_as_string(msg, "privateKeytab", NULL);
+               if (!privateKeytab) {
+                       return NULL;
+               }
+
+               relative_path = samdb_relative_path(ldb, mem_ctx, privateKeytab);
+               if (!relative_path) {
+                       return NULL;
+               }
+               file_keytab = talloc_asprintf(mem_ctx, "FILE:%s", relative_path);
+               talloc_free(relative_path);
+               return file_keytab;
+       }
+       return NULL;
+}
+
diff --git a/source4/param/secrets.h b/source4/param/secrets.h

index 018bd36337e2fd62960d05dd853b3222f315d9c8..49fe8c31c7c4a8f87fb7111544cd4724bb93d7e5 100644 (file)
--- a/source4/param/secrets.h
+++ b/source4/param/secrets.h
@@ -39,6 +39,9 @@
  struct loadparm_context;
  struct tevent_context;
  enum netr_SchannelType;
+struct ldb_message;
+struct ldb_context;
+
  struct tdb_wrap *secrets_init(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx);
  struct ldb_context *secrets_db_connect(TALLOC_CTX *mem_ctx, struct tevent_context *ev_ctx, struct loadparm_context *lp_ctx);
  struct dom_sid *secrets_get_domain_sid(TALLOC_CTX *mem_ctx,
@@ -47,6 +50,7 @@ struct dom_sid *secrets_get_domain_sid(TALLOC_CTX *mem_ctx,
                                        const char *domain,
                                        enum netr_SchannelType *sec_channel_type,
                                        char **errstring);
+char *keytab_name_from_msg(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct ldb_message *msg);
  
  
  #endif /* _SECRETS_H */
author	Andrew Bartlett <abartlet@samba.org>
	Thu, 23 Sep 2010 07:01:44 +0000 (17:01 +1000)
committer	Andrew Bartlett <abartlet@samba.org>
	Thu, 23 Sep 2010 23:25:44 +0000 (09:25 +1000)
source4/auth/credentials/credentials.h		patch \| blob \| history
source4/auth/credentials/credentials_files.c		patch \| blob \| history
source4/auth/credentials/credentials_krb5.c		patch \| blob \| history
source4/auth/kerberos/kerberos.h		patch \| blob \| history
source4/auth/kerberos/kerberos_util.c		patch \| blob \| history
source4/dsdb/samdb/ldb_modules/update_keytab.c		patch \| blob \| history
source4/param/secrets.c		patch \| blob \| history
source4/param/secrets.h		patch \| blob \| history