2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
12 Copyright (C) Gerald Carter 2006
14 This program is free software; you can redistribute it and/or modify
15 it under the terms of the GNU General Public License as published by
16 the Free Software Foundation; either version 3 of the License, or
17 (at your option) any later version.
19 This program is distributed in the hope that it will be useful,
20 but WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 GNU General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program. If not, see <http://www.gnu.org/licenses/>.
37 /* This MAX_NAME_LEN is a constant defined in krb5.h */
38 #ifndef MAX_KEYTAB_NAME_LEN
39 #define MAX_KEYTAB_NAME_LEN 1100
42 static krb5_error_code ads_keytab_open(krb5_context context,
45 char keytab_str[MAX_KEYTAB_NAME_LEN] = {0};
46 const char *keytab_name = NULL;
47 krb5_error_code ret = 0;
49 switch (lp_kerberos_method()) {
50 case KERBEROS_VERIFY_SYSTEM_KEYTAB:
51 case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
52 ret = krb5_kt_default_name(context,
54 sizeof(keytab_str) - 2);
56 DBG_WARNING("Failed to get default keytab name");
59 keytab_name = keytab_str;
61 case KERBEROS_VERIFY_DEDICATED_KEYTAB:
62 keytab_name = lp_dedicated_keytab_file();
65 DBG_ERR("Invalid kerberos method set (%d)\n",
66 lp_kerberos_method());
67 ret = KRB5_KT_BADNAME;
71 if (keytab_name == NULL || keytab_name[0] == '\0') {
72 DBG_ERR("Invalid keytab name\n");
73 ret = KRB5_KT_BADNAME;
77 ret = smb_krb5_kt_open(context, keytab_name, true, keytab);
79 DBG_WARNING("smb_krb5_kt_open failed (%s)\n",
88 static bool fill_default_spns(TALLOC_CTX *ctx, const char *machine_name,
89 const char *my_fqdn, const char *spn,
95 *spns = talloc_zero_array(ctx, const char*, 3);
101 psp1 = talloc_asprintf(ctx,
109 if (!strlower_m(&psp1[strlen(spn) + 1])) {
114 psp2 = talloc_asprintf(ctx,
122 if (!strlower_m(&psp2[strlen(spn) + 1])) {
131 static bool ads_set_machine_account_spns(TALLOC_CTX *ctx,
133 const char *service_or_spn,
136 const char **spn_names = NULL;
138 struct spn_struct* spn_struct = NULL;
141 /* SPN should have '/' */
142 tmp = strchr_m(service_or_spn, '/');
144 spn_struct = parse_spn(ctx, service_or_spn);
145 if (spn_struct == NULL) {
150 DBG_INFO("Attempting to add/update '%s'\n", service_or_spn);
152 if (spn_struct != NULL) {
153 spn_names = talloc_zero_array(ctx, const char*, 2);
154 spn_names[0] = service_or_spn;
158 ok = fill_default_spns(ctx,
167 aderr = ads_add_service_principal_names(ads,
170 if (!ADS_ERR_OK(aderr)) {
171 DBG_WARNING("Failed to add service principal name.\n");
179 * Create kerberos principal(s) from SPN or service name.
181 static bool service_or_spn_to_kerberos_princ(TALLOC_CTX *ctx,
182 const char *service_or_spn,
185 char **p_short_princ_s)
187 char *princ_s = NULL;
188 char *short_princ_s = NULL;
189 const char *service = service_or_spn;
190 const char *host = my_fqdn;
191 struct spn_struct* spn_struct = NULL;
195 /* SPN should have '/' */
196 tmp = strchr_m(service_or_spn, '/');
198 spn_struct = parse_spn(ctx, service_or_spn);
199 if (spn_struct == NULL) {
204 if (spn_struct != NULL) {
205 service = spn_struct->serviceclass;
206 host = spn_struct->host;
208 princ_s = talloc_asprintf(ctx, "%s/%s@%s",
211 if (princ_s == NULL) {
216 if (spn_struct == NULL) {
217 short_princ_s = talloc_asprintf(ctx, "%s/%s@%s",
218 service, lp_netbios_name(),
220 if (short_princ_s == NULL) {
225 *p_princ_s = princ_s;
226 *p_short_princ_s = short_princ_s;
231 static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx,
232 ADS_STRUCT *ads, const char *salt_princ_s,
233 krb5_keytab keytab, krb5_kvno kvno,
234 const char *srvPrinc, const char *my_fqdn,
235 krb5_data *password, bool update_ads)
237 krb5_error_code ret = 0;
238 char *princ_s = NULL;
239 char *short_princ_s = NULL;
240 krb5_enctype enctypes[4] = {
241 #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
242 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
244 #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
245 ENCTYPE_AES128_CTS_HMAC_SHA1_96,
247 ENCTYPE_ARCFOUR_HMAC,
252 /* Construct our principal */
253 if (strchr_m(srvPrinc, '@')) {
254 /* It's a fully-named principal. */
255 princ_s = talloc_asprintf(tmpctx, "%s", srvPrinc);
260 } else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
261 /* It's the machine account, as used by smbclient clients. */
262 princ_s = talloc_asprintf(tmpctx, "%s@%s",
263 srvPrinc, lp_realm());
269 /* It's a normal service principal. Add the SPN now so that we
270 * can obtain credentials for it and double-check the salt value
271 * used to generate the service's keys. */
273 if (!service_or_spn_to_kerberos_princ(tmpctx,
282 /* According to http://support.microsoft.com/kb/326985/en-us,
283 certain principal names are automatically mapped to the
284 host/... principal in the AD account.
285 So only create these in the keytab, not in AD. --jerry */
287 if (update_ads && !strequal(srvPrinc, "cifs") &&
288 !strequal(srvPrinc, "host")) {
289 if (!ads_set_machine_account_spns(tmpctx,
299 for (i = 0; enctypes[i]; i++) {
301 /* add the fqdn principal to the keytab */
302 ret = smb_krb5_kt_add_entry(context,
309 false); /* no_salt */
311 DBG_WARNING("Failed to add entry to keytab\n");
315 /* add the short principal name if we have one */
317 ret = smb_krb5_kt_add_entry(context,
324 false); /* no_salt */
326 DBG_WARNING("Failed to add short entry to keytab\n");
335 /**********************************************************************
336 Adds a single service principal, i.e. 'host' to the system keytab
337 ***********************************************************************/
339 int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
341 krb5_error_code ret = 0;
342 krb5_context context = NULL;
343 krb5_keytab keytab = NULL;
346 char *salt_princ_s = NULL;
347 char *password_s = NULL;
349 TALLOC_CTX *tmpctx = NULL;
350 char **hostnames_array = NULL;
351 size_t num_hostnames = 0;
353 ret = smb_krb5_init_context_common(&context);
355 DBG_ERR("kerberos init context failed (%s)\n",
360 ret = ads_keytab_open(context, &keytab);
365 /* retrieve the password */
366 if (!secrets_init()) {
367 DBG_WARNING("secrets_init failed\n");
371 password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
373 DBG_WARNING("failed to fetch machine password\n");
377 ZERO_STRUCT(password);
378 password.data = password_s;
379 password.length = strlen(password_s);
381 /* we need the dNSHostName value here */
382 tmpctx = talloc_init(__location__);
384 DBG_ERR("talloc_init() failed!\n");
389 my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
391 DBG_ERR("unable to determine machine account's dns name in "
397 /* make sure we have a single instance of a the computer account */
398 if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) {
399 DBG_ERR("unable to determine machine account's short name in "
405 kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
407 /* -1 indicates failure, everything else is OK */
408 DBG_WARNING("ads_get_machine_kvno failed to determine the "
414 salt_princ_s = kerberos_secrets_fetch_salt_princ();
415 if (salt_princ_s == NULL) {
416 DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n");
421 ret = add_kt_entry_etypes(context, tmpctx, ads, salt_princ_s, keytab,
422 kvno, srvPrinc, my_fqdn, &password,
428 if (ADS_ERR_OK(ads_get_additional_dns_hostnames(tmpctx, ads,
434 for (i = 0; i < num_hostnames; i++) {
436 ret = add_kt_entry_etypes(context, tmpctx, ads,
437 salt_princ_s, keytab,
440 &password, update_ads);
448 SAFE_FREE(salt_princ_s);
452 krb5_kt_close(context, keytab);
455 krb5_free_context(context);
460 /**********************************************************************
461 Flushes all entries from the system keytab.
462 ***********************************************************************/
464 int ads_keytab_flush(ADS_STRUCT *ads)
466 krb5_error_code ret = 0;
467 krb5_context context = NULL;
468 krb5_keytab keytab = NULL;
472 ret = smb_krb5_init_context_common(&context);
474 DBG_ERR("kerberos init context failed (%s)\n",
479 ret = ads_keytab_open(context, &keytab);
484 kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
486 /* -1 indicates a failure */
487 DEBUG(1, (__location__ ": Error determining the kvno.\n"));
492 /* Seek and delete old keytab entries */
493 ret = smb_krb5_kt_seek_and_delete_old_entries(context,
505 aderr = ads_clear_service_principal_names(ads, lp_netbios_name());
506 if (!ADS_ERR_OK(aderr)) {
507 DEBUG(1, (__location__ ": Error while clearing service "
508 "principal listings in LDAP.\n"));
515 krb5_kt_close(context, keytab);
518 krb5_free_context(context);
523 /**********************************************************************
524 Adds all the required service principals to the system keytab.
525 ***********************************************************************/
527 int ads_keytab_create_default(ADS_STRUCT *ads)
529 krb5_error_code ret = 0;
530 krb5_context context = NULL;
531 krb5_keytab keytab = NULL;
532 krb5_kt_cursor cursor = {0};
533 krb5_keytab_entry kt_entry = {0};
536 char *sam_account_name, *upn;
537 char **oldEntries = NULL, *princ_s[26];
546 ZERO_STRUCT(kt_entry);
549 frame = talloc_stackframe();
555 status = ads_get_service_principal_names(frame,
560 if (!ADS_ERR_OK(status)) {
565 for (i = 0; i < num_spns; i++) {
569 srv_princ = strlower_talloc(frame, spn_array[i]);
570 if (srv_princ == NULL) {
575 p = strchr_m(srv_princ, '/');
581 /* Add the SPNs found on the DC */
582 ret = ads_keytab_add_entry(ads, srv_princ, false);
584 DEBUG(1, ("ads_keytab_add_entry failed while "
585 "adding '%s' principal.\n",
591 #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
592 really needs them and we will fall back to verifying against
595 ret = ads_keytab_add_entry(ads, "cifs", false));
597 DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
598 "adding 'cifs'.\n"));
603 memset(princ_s, '\0', sizeof(princ_s));
605 ret = smb_krb5_init_context_common(&context);
607 DBG_ERR("kerberos init context failed (%s)\n",
612 machine_name = talloc_strdup(frame, lp_netbios_name());
618 /* now add the userPrincipalName and sAMAccountName entries */
619 ok = ads_has_samaccountname(ads, frame, machine_name);
621 DEBUG(0, (__location__ ": unable to determine machine "
622 "account's name in AD!\n"));
628 * append '$' to netbios name so 'ads_keytab_add_entry' recognises
629 * it as a machine account rather than a service or Windows SPN.
631 sam_account_name = talloc_asprintf(frame, "%s$",machine_name);
632 if (sam_account_name == NULL) {
636 /* upper case the sAMAccountName to make it easier for apps to
637 know what case to use in the keytab file */
638 if (!strupper_m(sam_account_name)) {
643 ret = ads_keytab_add_entry(ads, sam_account_name, false);
645 DEBUG(1, (__location__ ": ads_keytab_add_entry() failed "
646 "while adding sAMAccountName (%s)\n",
651 /* remember that not every machine account will have a upn */
652 upn = ads_get_upn(ads, frame, machine_name);
654 ret = ads_keytab_add_entry(ads, upn, false);
656 DEBUG(1, (__location__ ": ads_keytab_add_entry() "
657 "failed while adding UPN (%s)\n", upn));
662 /* Now loop through the keytab and update any other existing entries */
663 kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
664 if (kvno == (krb5_kvno)-1) {
665 DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
666 "determine the system's kvno.\n"));
670 DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
673 ret = ads_keytab_open(context, &keytab);
678 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
679 if (ret != KRB5_KT_END && ret != ENOENT ) {
680 while ((ret = krb5_kt_next_entry(context, keytab,
681 &kt_entry, &cursor)) == 0) {
682 smb_krb5_kt_free_entry(context, &kt_entry);
683 ZERO_STRUCT(kt_entry);
687 krb5_kt_end_seq_get(context, keytab, &cursor);
691 * Hmmm. There is no "rewind" function for the keytab. This means we
692 * have a race condition where someone else could add entries after
693 * we've counted them. Re-open asap to minimise the race. JRA.
695 DEBUG(3, (__location__ ": Found %zd entries in the keytab.\n", found));
700 oldEntries = talloc_zero_array(frame, char *, found + 1);
702 DEBUG(1, (__location__ ": Failed to allocate space to store "
703 "the old keytab entries (talloc failed?).\n"));
708 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
709 if (ret == KRB5_KT_END || ret == ENOENT) {
710 krb5_kt_end_seq_get(context, keytab, &cursor);
715 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
716 if (kt_entry.vno != kvno) {
717 char *ktprinc = NULL;
720 /* This returns a malloc'ed string in ktprinc. */
721 ret = smb_krb5_unparse_name(oldEntries, context,
725 DEBUG(1, (__location__
726 ": smb_krb5_unparse_name failed "
727 "(%s)\n", error_message(ret)));
731 * From looking at the krb5 source they don't seem to
732 * take locale or mb strings into account.
733 * Maybe this is because they assume utf8 ?
734 * In this case we may need to convert from utf8 to
735 * mb charset here ? JRA.
737 p = strchr_m(ktprinc, '@');
742 p = strchr_m(ktprinc, '/');
746 for (i = 0; i < found; i++) {
747 if (!oldEntries[i]) {
748 oldEntries[i] = ktprinc;
751 if (!strcmp(oldEntries[i], ktprinc)) {
752 TALLOC_FREE(ktprinc);
757 TALLOC_FREE(ktprinc);
760 smb_krb5_kt_free_entry(context, &kt_entry);
761 ZERO_STRUCT(kt_entry);
763 krb5_kt_end_seq_get(context, keytab, &cursor);
767 for (i = 0; oldEntries[i]; i++) {
768 ret |= ads_keytab_add_entry(ads, oldEntries[i], false);
769 TALLOC_FREE(oldEntries[i]);
773 TALLOC_FREE(oldEntries);
777 if (!all_zero((uint8_t *)&kt_entry, sizeof(kt_entry))) {
778 smb_krb5_kt_free_entry(context, &kt_entry);
780 if (!all_zero((uint8_t *)&cursor, sizeof(cursor)) && keytab) {
781 krb5_kt_end_seq_get(context, keytab, &cursor);
784 krb5_kt_close(context, keytab);
786 krb5_free_context(context);
791 #endif /* HAVE_ADS */
793 /**********************************************************************
795 ***********************************************************************/
797 int ads_keytab_list(const char *keytab_name)
799 krb5_error_code ret = 0;
800 krb5_context context = NULL;
801 krb5_keytab keytab = NULL;
802 krb5_kt_cursor cursor;
803 krb5_keytab_entry kt_entry;
805 ZERO_STRUCT(kt_entry);
808 ret = smb_krb5_init_context_common(&context);
810 DBG_ERR("kerberos init context failed (%s)\n",
815 if (keytab_name == NULL) {
817 ret = ads_keytab_open(context, &keytab);
822 ret = smb_krb5_kt_open(context, keytab_name, False, &keytab);
825 DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
826 error_message(ret)));
830 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
836 printf("Vno Type Principal\n");
838 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
840 char *princ_s = NULL;
841 char *etype_s = NULL;
842 krb5_enctype enctype = 0;
844 ret = smb_krb5_unparse_name(talloc_tos(), context,
845 kt_entry.principal, &princ_s);
850 enctype = smb_krb5_kt_get_enctype_from_entry(&kt_entry);
852 ret = smb_krb5_enctype_to_string(context, enctype, &etype_s);
854 (asprintf(&etype_s, "UNKNOWN: %d", enctype) == -1)) {
855 TALLOC_FREE(princ_s);
859 printf("%3d %-43s %s\n", kt_entry.vno, etype_s, princ_s);
861 TALLOC_FREE(princ_s);
864 ret = smb_krb5_kt_free_entry(context, &kt_entry);
870 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
875 /* Ensure we don't double free. */
876 ZERO_STRUCT(kt_entry);
880 if (!all_zero((uint8_t *)&kt_entry, sizeof(kt_entry))) {
881 smb_krb5_kt_free_entry(context, &kt_entry);
883 if (!all_zero((uint8_t *)&cursor, sizeof(cursor)) && keytab) {
884 krb5_kt_end_seq_get(context, keytab, &cursor);
888 krb5_kt_close(context, keytab);
891 krb5_free_context(context);
896 #endif /* HAVE_KRB5 */
git.samba.org / bbaumbach / samba-autobuild / .git / blob