2 Unix SMB/CIFS implementation.
3 dump the remote SAM using rpc samsync operations
5 Copyright (C) Guenther Deschner 2008.
6 Copyright (C) Michael Adam 2008
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libnet/libnet_keytab.h"
29 /****************************************************************
30 ****************************************************************/
32 static int keytab_close(struct libnet_keytab_context *ctx)
38 if (ctx->keytab && ctx->context) {
39 krb5_kt_close(ctx->context, ctx->keytab);
43 krb5_free_context(ctx->context);
47 ads_destroy(&ctx->ads);
55 /****************************************************************
56 ****************************************************************/
58 krb5_error_code libnet_keytab_init(TALLOC_CTX *mem_ctx,
59 const char *keytab_name,
60 struct libnet_keytab_context **ctx)
62 krb5_error_code ret = 0;
63 krb5_context context = NULL;
64 krb5_keytab keytab = NULL;
65 const char *keytab_string = NULL;
67 struct libnet_keytab_context *r;
69 r = talloc_zero(mem_ctx, struct libnet_keytab_context);
74 talloc_set_destructor(r, keytab_close);
76 initialize_krb5_error_table();
77 ret = krb5_init_context(&context);
79 DEBUG(1,("keytab_init: could not krb5_init_context: %s\n",
84 ret = smb_krb5_open_keytab(context, keytab_name, true, &keytab);
86 DEBUG(1,("keytab_init: smb_krb5_open_keytab failed (%s)\n",
88 krb5_free_context(context);
92 ret = smb_krb5_keytab_name(mem_ctx, context, keytab, &keytab_string);
94 krb5_kt_close(context, keytab);
95 krb5_free_context(context);
101 r->keytab_name = keytab_string;
102 r->clean_old_entries = false;
109 /****************************************************************
110 ****************************************************************/
113 * Remove all entries that have the given principal, kvno and enctype.
115 static krb5_error_code libnet_keytab_remove_entries(krb5_context context,
117 const char *principal,
119 const krb5_enctype enctype,
123 krb5_kt_cursor cursor;
124 krb5_keytab_entry kt_entry;
126 ZERO_STRUCT(kt_entry);
129 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
134 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0)
137 char *princ_s = NULL;
139 if (kt_entry.vno != kvno && !ignore_kvno) {
143 keyp = KRB5_KT_KEY(&kt_entry);
145 if (KRB5_KEY_TYPE(keyp) != enctype) {
149 ret = smb_krb5_unparse_name(talloc_tos(), context, kt_entry.principal,
152 DEBUG(5, ("smb_krb5_unparse_name failed (%s)\n",
153 error_message(ret)));
157 if (strcmp(principal, princ_s) != 0) {
161 /* match found - remove */
163 DEBUG(10, ("found entry for principal %s, kvno %d, "
164 "enctype %d - trying to remove it\n",
165 princ_s, kt_entry.vno, KRB5_KEY_TYPE(keyp)));
167 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
170 DEBUG(5, ("krb5_kt_end_seq_get failed (%s)\n",
171 error_message(ret)));
175 ret = krb5_kt_remove_entry(context, keytab,
178 DEBUG(5, ("krb5_kt_remove_entry failed (%s)\n",
179 error_message(ret)));
182 DEBUG(10, ("removed entry for principal %s, kvno %d, "
183 "enctype %d\n", princ_s, kt_entry.vno,
184 KRB5_KEY_TYPE(keyp)));
186 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
188 DEBUG(5, ("krb5_kt_start_seq_get failed (%s)\n",
189 error_message(ret)));
194 smb_krb5_kt_free_entry(context, &kt_entry);
195 TALLOC_FREE(princ_s);
198 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
200 DEBUG(5, ("krb5_kt_end_seq_get failed (%s)\n",
201 error_message(ret)));
207 static krb5_error_code libnet_keytab_add_entry(krb5_context context,
211 krb5_enctype enctype,
215 krb5_keytab_entry kt_entry;
217 krb5_principal salt_princ = NULL;
220 /* remove duplicates first ... */
221 ret = libnet_keytab_remove_entries(context, keytab, princ_s, kvno,
224 DEBUG(1, ("libnet_keytab_remove_entries failed: %s\n",
225 error_message(ret)));
228 ZERO_STRUCT(kt_entry);
232 ret = smb_krb5_parse_name(context, princ_s, &kt_entry.principal);
234 DEBUG(1, ("smb_krb5_parse_name(%s) failed (%s)\n",
235 princ_s, error_message(ret)));
239 keyp = KRB5_KT_KEY(&kt_entry);
241 salt_princ_s = kerberos_fetch_salt_princ_for_host_princ(context,
244 if (salt_princ_s == NULL) {
245 ret = KRB5KRB_ERR_GENERIC;
249 ret = krb5_parse_name(context, salt_princ_s, &salt_princ);
250 SAFE_FREE(salt_princ_s);
252 ret = KRB5KRB_ERR_GENERIC;
256 ret = create_kerberos_key_from_string(context,
263 krb5_free_principal(context, salt_princ);
265 ret = KRB5KRB_ERR_GENERIC;
269 ret = krb5_kt_add_entry(context, keytab, &kt_entry);
271 DEBUG(1, ("adding entry to keytab failed (%s)\n",
272 error_message(ret)));
276 krb5_free_keyblock_contents(context, keyp);
277 krb5_free_principal(context, kt_entry.principal);
278 ZERO_STRUCT(kt_entry);
279 smb_krb5_kt_free_entry(context, &kt_entry);
284 krb5_error_code libnet_keytab_add(struct libnet_keytab_context *ctx)
286 krb5_error_code ret = 0;
290 if (ctx->clean_old_entries) {
291 DEBUG(0, ("cleaning old entries...\n"));
292 for (i=0; i < ctx->count; i++) {
293 struct libnet_keytab_entry *entry = &ctx->entries[i];
295 ret = libnet_keytab_remove_entries(ctx->context,
302 DEBUG(1,("libnet_keytab_add: Failed to remove "
303 "old entries for %s (enctype %u): %s\n",
304 entry->principal, entry->enctype,
305 error_message(ret)));
311 for (i=0; i<ctx->count; i++) {
313 struct libnet_keytab_entry *entry = &ctx->entries[i];
316 ZERO_STRUCT(password);
317 password.data = (char *)entry->password.data;
318 password.length = entry->password.length;
320 ret = libnet_keytab_add_entry(ctx->context,
327 DEBUG(1,("libnet_keytab_add: "
328 "Failed to add entry to keytab file\n"));
336 struct libnet_keytab_entry *libnet_keytab_search(struct libnet_keytab_context *ctx,
337 const char *principal,
339 const krb5_enctype enctype,
342 krb5_error_code ret = 0;
343 krb5_kt_cursor cursor;
344 krb5_keytab_entry kt_entry;
345 struct libnet_keytab_entry *entry = NULL;
347 ZERO_STRUCT(kt_entry);
350 ret = krb5_kt_start_seq_get(ctx->context, ctx->keytab, &cursor);
352 DEBUG(10, ("krb5_kt_start_seq_get failed: %s\n",
353 error_message(ret)));
357 while (krb5_kt_next_entry(ctx->context, ctx->keytab, &kt_entry, &cursor) == 0)
360 char *princ_s = NULL;
364 if (kt_entry.vno != kvno) {
368 keyp = KRB5_KT_KEY(&kt_entry);
370 if (KRB5_KEY_TYPE(keyp) != enctype) {
374 entry = talloc_zero(mem_ctx, struct libnet_keytab_entry);
376 DEBUG(3, ("talloc failed\n"));
380 ret = smb_krb5_unparse_name(entry, ctx->context, kt_entry.principal,
386 if (strcmp(principal, princ_s) != 0) {
390 entry->principal = talloc_strdup(entry, princ_s);
391 if (!entry->principal) {
392 DEBUG(3, ("talloc_strdup_failed\n"));
396 entry->name = talloc_move(entry, &princ_s);
398 entry->password = data_blob_talloc(entry, KRB5_KEY_DATA(keyp),
399 KRB5_KEY_LENGTH(keyp));
400 if (!entry->password.data) {
401 DEBUG(3, ("data_blob_talloc failed\n"));
405 DEBUG(10, ("found entry\n"));
407 smb_krb5_kt_free_entry(ctx->context, &kt_entry);
411 smb_krb5_kt_free_entry(ctx->context, &kt_entry);
416 smb_krb5_kt_free_entry(ctx->context, &kt_entry);
421 krb5_kt_end_seq_get(ctx->context, ctx->keytab, &cursor);
426 * Helper function to add data to the list
427 * of keytab entries. It builds the prefix from the input.
429 NTSTATUS libnet_keytab_add_to_keytab_entries(TALLOC_CTX *mem_ctx,
430 struct libnet_keytab_context *ctx,
434 const krb5_enctype enctype,
437 struct libnet_keytab_entry entry;
440 entry.name = talloc_strdup(mem_ctx, name);
441 entry.principal = talloc_asprintf(mem_ctx, "%s%s%s@%s",
442 prefix ? prefix : "",
444 name, ctx->dns_domain_name);
445 entry.enctype = enctype;
446 entry.password = blob;
447 NT_STATUS_HAVE_NO_MEMORY(entry.name);
448 NT_STATUS_HAVE_NO_MEMORY(entry.principal);
449 NT_STATUS_HAVE_NO_MEMORY(entry.password.data);
451 ADD_TO_ARRAY(mem_ctx, struct libnet_keytab_entry, entry,
452 &ctx->entries, &ctx->count);
453 NT_STATUS_HAVE_NO_MEMORY(ctx->entries);
458 #endif /* HAVE_KRB5 */