r12422: Some kerberos comments and clarifications.
[samba.git] / source / auth / kerberos / kerberos_util.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Kerberos utility functions for GENSEC
5    
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 2 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17
18    
19    You should have received a copy of the GNU General Public License
20    along with this program; if not, write to the Free Software
21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25 #include "system/kerberos.h"
26 #include "system/time.h"
27 #include "system/network.h"
28 #include "auth/kerberos/kerberos.h"
29 #include "auth/auth.h"
30
31 struct principal_container {
32         struct smb_krb5_context *smb_krb5_context;
33         krb5_principal principal;
34 };
35
36 static int free_principal(void *ptr) {
37         struct principal_container *pc = ptr;
38         /* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
39         krb5_free_principal(pc->smb_krb5_context->krb5_context, pc->principal);
40
41         return 0;
42 }
43
44 krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx, 
45                                                 struct cli_credentials *machine_account, 
46                                                 struct smb_krb5_context *smb_krb5_context,
47                                                 krb5_principal *salt_princ)
48 {
49         krb5_error_code ret;
50         char *machine_username;
51         char *salt_body;
52         char *lower_realm;
53         const char *salt_principal;
54         struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container);
55         if (!mem_ctx) {
56                 return ENOMEM;
57         }
58
59         salt_principal = cli_credentials_get_salt_principal(machine_account);
60         if (salt_principal) {
61                 ret = krb5_parse_name(smb_krb5_context->krb5_context, salt_principal, salt_princ); 
62         } else {
63                 machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account));
64                 
65                 if (!machine_username) {
66                         talloc_free(mem_ctx);
67                         return ENOMEM;
68                 }
69                 
70                 if (machine_username[strlen(machine_username)-1] == '$') {
71                         machine_username[strlen(machine_username)-1] = '\0';
72                 }
73                 lower_realm = strlower_talloc(mem_ctx, cli_credentials_get_realm(machine_account));
74                 if (!lower_realm) {
75                         talloc_free(mem_ctx);
76                         return ENOMEM;
77                 }
78                 
79                 salt_body = talloc_asprintf(mem_ctx, "%s.%s", machine_username, 
80                                             lower_realm);
81                 if (!salt_body) {
82                         talloc_free(mem_ctx);
83                 return ENOMEM;
84                 }
85                 
86                 ret = krb5_make_principal(smb_krb5_context->krb5_context, salt_princ, 
87                                           cli_credentials_get_realm(machine_account), 
88                                           "host", salt_body, NULL);
89         } 
90
91         if (ret == 0) {
92                 /* This song-and-dance effectivly puts the principal
93                  * into talloc, so we can't loose it. */
94                 mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
95                 mem_ctx->principal = *salt_princ;
96                 talloc_set_destructor(mem_ctx, free_principal);
97         }
98         return ret;
99 }
100
101 /* Obtain the principal set on this context.  Requires a
102  * smb_krb5_context because we are doing krb5 principal parsing with
103  * the library routines.  The returned princ is placed in the talloc
104  * system by means of a destructor (do *not* free). */
105
106 krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx, 
107                                            struct cli_credentials *credentials, 
108                                            struct smb_krb5_context *smb_krb5_context,
109                                            krb5_principal *princ)
110 {
111         krb5_error_code ret;
112         const char *princ_string;
113         struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container);
114         if (!mem_ctx) {
115                 return ENOMEM;
116         }
117         
118         princ_string = cli_credentials_get_principal(credentials, mem_ctx);
119
120         /* A NULL here has meaning, as the gssapi server case will
121          * then use the principal from the client */
122         if (!princ_string) {
123                 talloc_free(mem_ctx);
124                 princ = NULL;
125                 return 0;
126         }
127
128         ret = krb5_parse_name(smb_krb5_context->krb5_context,
129                               princ_string, princ);
130
131         if (ret == 0) {
132                 /* This song-and-dance effectivly puts the principal
133                  * into talloc, so we can't loose it. */
134                 mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
135                 mem_ctx->principal = *princ;
136                 talloc_set_destructor(mem_ctx, free_principal);
137         }
138         return ret;
139 }
140
141 /**
142  * Return a freshly allocated ccache (destroyed by destructor on child
143  * of parent_ctx), for a given set of client credentials 
144  */
145
146  krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
147                                  struct cli_credentials *credentials,
148                                  struct smb_krb5_context *smb_krb5_context,
149                                  krb5_ccache ccache) 
150 {
151         krb5_error_code ret;
152         const char *password;
153         time_t kdc_time = 0;
154         krb5_principal princ;
155
156         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
157
158         if (!mem_ctx) {
159                 return ENOMEM;
160         }
161
162         ret = principal_from_credentials(mem_ctx, credentials, smb_krb5_context, &princ);
163         if (ret) {
164                 talloc_free(mem_ctx);
165                 return ret;
166         }
167
168         password = cli_credentials_get_password(credentials);
169         
170         if (password) {
171                 ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache, 
172                                                  princ, 
173                                                  password, NULL, &kdc_time);
174         } else {
175                 /* No password available, try to use a keyblock instead */
176
177                 krb5_keyblock keyblock;
178                 const struct samr_Password *mach_pwd;
179                 mach_pwd = cli_credentials_get_nt_hash(credentials, mem_ctx);
180                 if (!mach_pwd) {
181                         talloc_free(mem_ctx);
182                         DEBUG(1, ("kinit_to_ccache: No password available for kinit\n"));
183                         return EINVAL;
184                 }
185                 ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
186                                          ENCTYPE_ARCFOUR_HMAC,
187                                          mach_pwd->hash, sizeof(mach_pwd->hash), 
188                                          &keyblock);
189                 
190                 if (ret == 0) {
191                         ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, ccache, 
192                                                          princ,
193                                                          &keyblock, NULL, &kdc_time);
194                         krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &keyblock);
195                 }
196         }
197
198         /* cope with ticket being in the future due to clock skew */
199         if ((unsigned)kdc_time > time(NULL)) {
200                 time_t t = time(NULL);
201                 int time_offset =(unsigned)kdc_time-t;
202                 DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
203                 krb5_set_real_time(smb_krb5_context->krb5_context, t + time_offset + 1, 0);
204         }
205         
206         if (ret == KRB5KRB_AP_ERR_SKEW || ret == KRB5_KDCREP_SKEW) {
207                 DEBUG(1,("kinit for %s failed (%s)\n", 
208                          cli_credentials_get_principal(credentials, mem_ctx), 
209                          smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
210                                                     ret, mem_ctx)));
211                 talloc_free(mem_ctx);
212                 return ret;
213         }
214         if (ret) {
215                 DEBUG(1,("kinit for %s failed (%s)\n", 
216                          cli_credentials_get_principal(credentials, mem_ctx), 
217                          smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
218                                                     ret, mem_ctx)));
219                 talloc_free(mem_ctx);
220                 return ret;
221         } 
222         return 0;
223 }
224
225 static int free_keytab(void *ptr) {
226         struct keytab_container *ktc = ptr;
227         krb5_kt_close(ktc->smb_krb5_context->krb5_context, ktc->keytab);
228
229         return 0;
230 }
231
232 int smb_krb5_open_keytab(TALLOC_CTX *mem_ctx,
233                          struct smb_krb5_context *smb_krb5_context, 
234                          const char *keytab_name, struct keytab_container **ktc) 
235 {
236         krb5_keytab keytab;
237         int ret;
238         ret = krb5_kt_resolve(smb_krb5_context->krb5_context, keytab_name, &keytab);
239         if (ret) {
240                 DEBUG(1,("failed to open krb5 keytab: %s\n", 
241                          smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
242                                                     ret, mem_ctx)));
243                 return ret;
244         }
245
246         *ktc = talloc(mem_ctx, struct keytab_container);
247         if (!*ktc) {
248                 return ENOMEM;
249         }
250
251         (*ktc)->smb_krb5_context = talloc_reference(*ktc, smb_krb5_context);
252         (*ktc)->keytab = keytab;
253         talloc_set_destructor(*ktc, free_keytab);
254
255         return 0;
256 }
257
258 struct enctypes_container {
259         struct smb_krb5_context *smb_krb5_context;
260         krb5_enctype *enctypes;
261 };
262
263 static int free_enctypes(void *ptr) {
264         struct enctypes_container *etc = ptr;
265         free_kerberos_etypes(etc->smb_krb5_context->krb5_context, etc->enctypes);
266         return 0;
267 }
268
269 static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
270                                        const char *princ_string,
271                                        krb5_principal princ,
272                                        krb5_principal salt_princ,
273                                        int kvno,
274                                        const char *password_s,
275                                        struct smb_krb5_context *smb_krb5_context,
276                                        krb5_keytab keytab)
277 {
278         int i;
279         krb5_error_code ret;
280         krb5_enctype *enctypes;
281         char *enctype_string;
282         struct enctypes_container *etc;
283         krb5_data password;
284         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
285         if (!mem_ctx) {
286                 return ENOMEM;
287         }
288
289         etc = talloc(mem_ctx, struct enctypes_container);
290         if (!etc) {
291                 talloc_free(mem_ctx);
292                 return ENOMEM;
293         }
294         ret = get_kerberos_allowed_etypes(smb_krb5_context->krb5_context, 
295                                           &enctypes);
296         if (ret != 0) {
297                 DEBUG(1,("keytab_add_keys: getting encrption types failed (%s)\n",
298                          error_message(ret)));
299                 talloc_free(mem_ctx);
300                 return ret;
301         }
302
303         etc->smb_krb5_context = talloc_reference(etc, smb_krb5_context);
304         etc->enctypes = enctypes;
305
306         talloc_set_destructor(etc, free_enctypes);
307
308         password.data = discard_const_p(char *, password_s);
309         password.length = strlen(password_s);
310
311         for (i=0; enctypes[i]; i++) {
312                 krb5_keytab_entry entry;
313                 ret = create_kerberos_key_from_string(smb_krb5_context->krb5_context, 
314                                                       salt_princ, &password, &entry.keyblock, enctypes[i]);
315                 if (ret != 0) {
316                         talloc_free(mem_ctx);
317                         return ret;
318                 }
319
320                 entry.principal = princ;
321                 entry.vno       = kvno;
322                 ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab, &entry);
323                 enctype_string = NULL;
324                 krb5_enctype_to_string(smb_krb5_context->krb5_context, enctypes[i], &enctype_string);
325                 if (ret != 0) {
326                         DEBUG(1, ("Failed to add %s entry for %s(kvno %d) to keytab: %s\n",
327                                   enctype_string,
328                                   princ_string,
329                                   kvno,
330                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
331                                                              ret, mem_ctx)));
332                         talloc_free(mem_ctx);
333                         free(enctype_string);           
334                         krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
335                         return ret;
336                 }
337
338                 DEBUG(5, ("Added %s(kvno %d) to keytab (%s)\n", 
339                           princ_string, kvno,
340                           enctype_string));
341                 free(enctype_string);           
342                 
343                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
344         }
345         talloc_free(mem_ctx);
346         return 0;
347 }
348
349 static int create_keytab(TALLOC_CTX *parent_ctx,
350                          struct cli_credentials *machine_account,
351                          struct smb_krb5_context *smb_krb5_context,
352                          krb5_keytab keytab,
353                          BOOL add_old) 
354 {
355         krb5_error_code ret;
356         const char *password_s;
357         char *enctype_string;
358         const char *old_secret;
359         int kvno;
360         krb5_principal salt_princ;
361         krb5_principal princ;
362         const char *princ_string;
363
364         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
365         if (!mem_ctx) {
366                 return ENOMEM;
367         }
368
369         princ_string = cli_credentials_get_principal(machine_account, mem_ctx);
370         /* Get the principal we will store the new keytab entries under */
371         ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context, &princ);
372         if (ret) {
373                 DEBUG(1,("create_keytab: makeing krb5 principal failed (%s)\n",
374                          smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
375                                                     ret, mem_ctx)));
376                 talloc_free(mem_ctx);
377                 return ret;
378         }
379
380         /* The salt used to generate these entries may be different however, fetch that */
381         ret = salt_principal_from_credentials(mem_ctx, machine_account, 
382                                               smb_krb5_context, 
383                                               &salt_princ);
384         if (ret) {
385                 DEBUG(1,("create_keytab: makeing salt principal failed (%s)\n",
386                          smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
387                                                     ret, mem_ctx)));
388                 talloc_free(mem_ctx);
389                 return ret;
390         }
391
392         /* Finally, do the dance to get the password to put in the entry */
393         password_s = cli_credentials_get_password(machine_account);
394         if (!password_s) {
395                 /* If we don't have the plaintext password, try for
396                  * the MD4 password hash */
397
398                 krb5_keytab_entry entry;
399                 const struct samr_Password *mach_pwd;
400                 mach_pwd = cli_credentials_get_nt_hash(machine_account, mem_ctx);
401                 if (!mach_pwd) {
402                         talloc_free(mem_ctx);
403                         DEBUG(1, ("create_keytab: Domain trust informaton for account %s not available\n",
404                                   cli_credentials_get_principal(machine_account, mem_ctx)));
405                         return EINVAL;
406                 }
407                 ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
408                                          ENCTYPE_ARCFOUR_HMAC,
409                                          mach_pwd->hash, sizeof(mach_pwd->hash), 
410                                          &entry.keyblock);
411                 if (ret) {
412                         DEBUG(1, ("create_keytab: krb5_keyblock_init failed: %s\n",
413                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
414                                                              ret, mem_ctx)));
415                         return ret;
416                 }
417
418                 entry.principal = princ;
419                 entry.vno       = cli_credentials_get_kvno(machine_account);
420                 ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab, &entry);
421                 if (ret) {
422                         DEBUG(1, ("Failed to add ARCFOUR_HMAC (only) entry for %s to keytab: %s",
423                                   cli_credentials_get_principal(machine_account, mem_ctx), 
424                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
425                                                              ret, mem_ctx)));
426                         talloc_free(mem_ctx);
427                         krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
428                         return ret;
429                 }
430                 
431                 krb5_enctype_to_string(smb_krb5_context->krb5_context, ENCTYPE_ARCFOUR_HMAC, &enctype_string);
432                 DEBUG(5, ("Added %s(kvno %d) to keytab (%s)\n", 
433                           cli_credentials_get_principal(machine_account, mem_ctx),
434                           cli_credentials_get_kvno(machine_account),
435                           enctype_string));
436                 free(enctype_string);           
437
438                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
439
440                 /* Can't go any further, we only have this one key */
441                 talloc_free(mem_ctx);
442                 return 0;
443         }
444         
445         kvno = cli_credentials_get_kvno(machine_account);
446         /* good, we actually have the real plaintext */
447         ret = keytab_add_keys(mem_ctx, princ_string, princ, salt_princ, 
448                               kvno, password_s, smb_krb5_context, keytab);
449         if (!ret) {
450                 talloc_free(mem_ctx);
451                 return ret;
452         }
453
454         if (!add_old || kvno == 0) {
455                 talloc_free(mem_ctx);
456                 return 0;
457         }
458
459         old_secret = cli_credentials_get_old_password(machine_account);
460         if (!old_secret) {
461                 talloc_free(mem_ctx);
462                 return 0;
463         }
464         
465         ret = keytab_add_keys(mem_ctx, princ_string, princ, salt_princ, 
466                               kvno - 1, old_secret, smb_krb5_context, keytab);
467         if (!ret) {
468                 talloc_free(mem_ctx);
469                 return ret;
470         }
471
472         talloc_free(mem_ctx);
473         return 0;
474 }
475
476
477 /*
478  * Walk the keytab, looking for entries of this principal name, with KVNO other than current kvno -1.
479  *
480  * These entries are now stale, we only keep the current, and previous entries around.
481  *
482  * Inspired by the code in Samba3 for 'use kerberos keytab'.
483  *
484  */
485
486 static krb5_error_code remove_old_entries(TALLOC_CTX *parent_ctx,
487                                           struct cli_credentials *machine_account,
488                                           struct smb_krb5_context *smb_krb5_context,
489                                           krb5_keytab keytab, BOOL *found_previous)
490 {
491         krb5_error_code ret, ret2;
492         krb5_kt_cursor cursor;
493         krb5_principal princ;
494         int kvno;
495         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
496         const char *princ_string;
497         if (!mem_ctx) {
498                 return ENOMEM;
499         }
500
501         *found_previous = False;
502         princ_string = cli_credentials_get_principal(machine_account, mem_ctx);
503
504         /* Get the principal we will store the new keytab entries under */
505         ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context, &princ);
506         if (ret) {
507                 DEBUG(1,("update_keytab: makeing krb5 principal failed (%s)\n",
508                          smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
509                                                     ret, mem_ctx)));
510                 talloc_free(mem_ctx);
511                 return ret;
512         }
513
514         kvno = cli_credentials_get_kvno(machine_account);
515
516         /* for each entry in the keytab */
517         ret = krb5_kt_start_seq_get(smb_krb5_context->krb5_context, keytab, &cursor);
518         switch (ret) {
519         case 0:
520                 break;
521         case ENOENT:
522         case KRB5_KT_END:
523                 /* no point enumerating if there isn't anything here */
524                 talloc_free(mem_ctx);
525                 return 0;
526         default:
527                 DEBUG(1,("failed to open keytab for read of old entries: %s\n",
528                          smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
529                                                     ret, mem_ctx)));
530                 talloc_free(mem_ctx);
531                 return ret;
532         }
533
534         while (!ret) {
535                 krb5_keytab_entry entry;
536                 ret = krb5_kt_next_entry(smb_krb5_context->krb5_context, keytab, &entry, &cursor);
537                 if (ret) {
538                         break;
539                 }
540                 /* if it matches our principal */
541                 if (!krb5_kt_compare(smb_krb5_context->krb5_context, &entry, princ, 0, 0)) {
542                         /* Free the entry, it wasn't the one we were looking for anyway */
543                         krb5_kt_free_entry(smb_krb5_context->krb5_context, &entry);
544                         continue;
545                 }
546
547                 /* delete it, if it is not kvno -1 */
548                 if (entry.vno != (kvno - 1 )) {
549                         /* Release the enumeration.  We are going to
550                          * have to start this from the top again,
551                          * because deletes during enumeration may not
552                          * always be consistant.
553                          *
554                          * Also, the enumeration locks a FILE: keytab
555                          */
556                 
557                         krb5_kt_end_seq_get(smb_krb5_context->krb5_context, keytab, &cursor);
558
559                         ret = krb5_kt_remove_entry(smb_krb5_context->krb5_context, keytab, &entry);
560                         krb5_kt_free_entry(smb_krb5_context->krb5_context, &entry);
561
562                         /* Deleted: Restart from the top */
563                         ret2 = krb5_kt_start_seq_get(smb_krb5_context->krb5_context, keytab, &cursor);
564                         if (ret2) {
565                                 krb5_kt_free_entry(smb_krb5_context->krb5_context, &entry);
566                                 DEBUG(1,("failed to restart enumeration of keytab: %s\n",
567                                          smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
568                                                                     ret, mem_ctx)));
569                                 
570                                 talloc_free(mem_ctx);
571                                 return ret2;
572                         }
573
574                         if (ret) {
575                                 break;
576                         }
577                         
578                 } else {
579                         *found_previous = True;
580                 }
581                 
582                 /* Free the entry, we don't need it any more */
583                 krb5_kt_free_entry(smb_krb5_context->krb5_context, &entry);
584                 
585                 
586         }
587         krb5_kt_end_seq_get(smb_krb5_context->krb5_context, keytab, &cursor);
588
589         switch (ret) {
590         case 0:
591                 break;
592         case ENOENT:
593         case KRB5_KT_END:
594                 ret = 0;
595                 break;
596         default:
597                 DEBUG(1,("failed in deleting old entries for principal: %s: %s\n",
598                          princ_string, 
599                          smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
600                                                     ret, mem_ctx)));
601         }
602         talloc_free(mem_ctx);
603         return ret;
604 }
605
606 int smb_krb5_update_keytab(TALLOC_CTX *parent_ctx,
607                            struct cli_credentials *machine_account,
608                            struct smb_krb5_context *smb_krb5_context,
609                            struct keytab_container *keytab_container) 
610 {
611         krb5_error_code ret;
612         BOOL found_previous;
613         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
614         if (!mem_ctx) {
615                 return ENOMEM;
616         }
617         
618         ret = remove_old_entries(mem_ctx, machine_account, 
619                                  smb_krb5_context, keytab_container->keytab, &found_previous);
620         if (ret != 0) {
621                 talloc_free(mem_ctx);
622                 return ret;
623         }
624         
625         /* Create a new keytab.  If during the cleanout we found
626          * entires for kvno -1, then don't try and duplicate them.
627          * Otherwise, add kvno, and kvno -1 */
628         
629         ret = create_keytab(mem_ctx, machine_account, smb_krb5_context, 
630                             keytab_container->keytab, 
631                             found_previous ? False : True);
632         talloc_free(mem_ctx);
633         return ret;
634 }
635
636 int smb_krb5_create_memory_keytab(TALLOC_CTX *parent_ctx,
637                                   struct cli_credentials *machine_account,
638                                   struct smb_krb5_context *smb_krb5_context,
639                                   struct keytab_container **keytab_container) 
640 {
641         krb5_error_code ret;
642         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
643         const char *rand_string;
644         const char *keytab_name;
645         if (!mem_ctx) {
646                 return ENOMEM;
647         }
648         
649         *keytab_container = talloc(mem_ctx, struct keytab_container);
650
651         rand_string = generate_random_str(mem_ctx, 16);
652         if (!rand_string) {
653                 talloc_free(mem_ctx);
654                 return ENOMEM;
655         }
656
657         keytab_name = talloc_asprintf(mem_ctx, "MEMORY:%s", 
658                                       rand_string);
659         if (!keytab_name) {
660                 talloc_free(mem_ctx);
661                 return ENOMEM;
662         }
663
664         ret = smb_krb5_open_keytab(mem_ctx, smb_krb5_context, keytab_name, keytab_container);
665         if (ret) {
666                 return ret;
667         }
668
669         ret = smb_krb5_update_keytab(mem_ctx, machine_account, smb_krb5_context, *keytab_container);
670         if (ret == 0) {
671                 talloc_steal(parent_ctx, *keytab_container);
672         } else {
673                 *keytab_container = NULL;
674         }
675         talloc_free(mem_ctx);
676         return ret;
677 }
678