From: Noel Power <noel.power@suse.com>
Date: Thu, 8 Feb 2018 17:33:08 +0000 (+0000)
Subject: s3:libads: add param to prevent writing spn(s) to ads
X-Git-Tag: talloc-2.1.12~290
X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=4e518ecdda040e1aa47506e436255597437a05ed

s3:libads: add param to prevent writing spn(s) to ads

'net ads keytab add' currently in addition to adding to the
keytab file this command also can update AD computer objects
via ldap. This behaviour isn't very intuitive or expected given
the command name. By default we shouldn't write to the ADS.

Prepare to change the default behaviour by modifying the function
'ads_keytab_add_entry' to take a paramater to modify the existing
behaviour to optionally update the AD (or not).

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index 3934c1cfe27..154bf67f964 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -49,7 +49,8 @@ void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descripto
 
 /* The following definitions come from libads/kerberos_keytab.c  */
 
-int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc);
+int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc,
+			 bool update_ads);
 int ads_keytab_flush(ADS_STRUCT *ads);
 int ads_keytab_create_default(ADS_STRUCT *ads);
 int ads_keytab_list(const char *keytab_name);
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index b23baae8ae0..2c8ac9adb56 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -232,7 +232,7 @@ out:
  Adds a single service principal, i.e. 'host' to the system keytab
 ***********************************************************************/
 
-int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
+int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
 {
 	krb5_error_code ret = 0;
 	krb5_context context = NULL;
@@ -347,7 +347,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
 		   host/... principal in the AD account.
 		   So only create these in the keytab, not in AD.  --jerry */
 
-		if (!strequal(srvPrinc, "cifs") &&
+		if (update_ads && !strequal(srvPrinc, "cifs") &&
 		    !strequal(srvPrinc, "host")) {
 			if (!ads_set_machine_account_spns(tmpctx,
 							  ads,
@@ -545,7 +545,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 		p[0] = '\0';
 
 		/* Add the SPNs found on the DC */
-		ret = ads_keytab_add_entry(ads, srv_princ);
+		ret = ads_keytab_add_entry(ads, srv_princ, true);
 		if (ret != 0) {
 			DEBUG(1, ("ads_keytab_add_entry failed while "
 				  "adding '%s' principal.\n",
@@ -558,7 +558,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 	   really needs them and we will fall back to verifying against
 	   secrets.tdb */
 
-	ret = ads_keytab_add_entry(ads, "cifs"));
+	ret = ads_keytab_add_entry(ads, "cifs", true));
 	if (ret != 0 ) {
 		DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
 			  "adding 'cifs'.\n"));
@@ -607,7 +607,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 		goto done;
 	}
 
-	ret = ads_keytab_add_entry(ads, sam_account_name);
+	ret = ads_keytab_add_entry(ads, sam_account_name, true);
 	if (ret != 0) {
 		DEBUG(1, (__location__ ": ads_keytab_add_entry() failed "
 			  "while adding sAMAccountName (%s)\n",
@@ -618,7 +618,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 	/* remember that not every machine account will have a upn */
 	upn = ads_get_upn(ads, frame, machine_name);
 	if (upn) {
-		ret = ads_keytab_add_entry(ads, upn);
+		ret = ads_keytab_add_entry(ads, upn, true);
 		if (ret != 0) {
 			DEBUG(1, (__location__ ": ads_keytab_add_entry() "
 				  "failed while adding UPN (%s)\n", upn));
@@ -732,7 +732,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 
 	ret = 0;
 	for (i = 0; oldEntries[i]; i++) {
-		ret |= ads_keytab_add_entry(ads, oldEntries[i]);
+		ret |= ads_keytab_add_entry(ads, oldEntries[i], true);
 		TALLOC_FREE(oldEntries[i]);
 	}
 
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index a5d1928f30b..352044ed068 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2626,7 +2626,7 @@ static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv
 		return -1;
 	}
 	for (i = 0; i < argc; i++) {
-		ret |= ads_keytab_add_entry(ads, argv[i]);
+		ret |= ads_keytab_add_entry(ads, argv[i], false);
 	}
 	ads_destroy(&ads);
 	return ret;