2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
12 Copyright (C) Gerald Carter 2006
14 This program is free software; you can redistribute it and/or modify
15 it under the terms of the GNU General Public License as published by
16 the Free Software Foundation; either version 3 of the License, or
17 (at your option) any later version.
19 This program is distributed in the hope that it will be useful,
20 but WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 GNU General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program. If not, see <http://www.gnu.org/licenses/>.
37 /**********************************************************************
38 Adds a single service principal, i.e. 'host' to the system keytab
39 ***********************************************************************/
41 int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
43 krb5_error_code ret = 0;
44 krb5_context context = NULL;
45 krb5_keytab keytab = NULL;
48 krb5_enctype enctypes[6] = {
51 #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
52 ENCTYPE_AES128_CTS_HMAC_SHA1_96,
54 #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
55 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
61 char *short_princ_s = NULL;
62 char *salt_princ_s = NULL;
63 char *password_s = NULL;
65 TALLOC_CTX *tmpctx = NULL;
70 initialize_krb5_error_table();
71 ret = krb5_init_context(&context);
73 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
78 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
80 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
85 /* retrieve the password */
86 if (!secrets_init()) {
87 DEBUG(1, (__location__ ": secrets_init failed\n"));
91 password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
93 DEBUG(1, (__location__ ": failed to fetch machine password\n"));
97 ZERO_STRUCT(password);
98 password.data = password_s;
99 password.length = strlen(password_s);
101 /* we need the dNSHostName value here */
102 tmpctx = talloc_init(__location__);
104 DEBUG(0, (__location__ ": talloc_init() failed!\n"));
109 my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
111 DEBUG(0, (__location__ ": unable to determine machine "
112 "account's dns name in AD!\n"));
117 machine_name = ads_get_samaccountname(ads, tmpctx, lp_netbios_name());
119 DEBUG(0, (__location__ ": unable to determine machine "
120 "account's short name in AD!\n"));
124 /*strip the trailing '$' */
125 machine_name[strlen(machine_name)-1] = '\0';
127 /* Construct our principal */
128 if (strchr_m(srvPrinc, '@')) {
129 /* It's a fully-named principal. */
130 princ_s = talloc_asprintf(tmpctx, "%s", srvPrinc);
135 } else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
136 /* It's the machine account, as used by smbclient clients. */
137 princ_s = talloc_asprintf(tmpctx, "%s@%s",
138 srvPrinc, lp_realm());
144 /* It's a normal service principal. Add the SPN now so that we
145 * can obtain credentials for it and double-check the salt value
146 * used to generate the service's keys. */
148 princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
149 srvPrinc, my_fqdn, lp_realm());
154 short_princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
155 srvPrinc, machine_name,
157 if (short_princ_s == NULL) {
162 /* According to http://support.microsoft.com/kb/326985/en-us,
163 certain principal names are automatically mapped to the
164 host/... principal in the AD account.
165 So only create these in the keytab, not in AD. --jerry */
167 if (!strequal(srvPrinc, "cifs") &&
168 !strequal(srvPrinc, "host")) {
169 DEBUG(3, (__location__ ": Attempting to add/update "
172 aderr = ads_add_service_principal_name(ads,
173 lp_netbios_name(), my_fqdn, srvPrinc);
174 if (!ADS_ERR_OK(aderr)) {
175 DEBUG(1, (__location__ ": failed to "
176 "ads_add_service_principal_name.\n"));
182 kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
184 /* -1 indicates failure, everything else is OK */
185 DEBUG(1, (__location__ ": ads_get_machine_kvno failed to "
186 "determine the system's kvno.\n"));
191 for (i = 0; enctypes[i]; i++) {
192 salt_princ_s = kerberos_fetch_salt_princ_for_host_princ(context,
196 /* add the fqdn principal to the keytab */
197 ret = smb_krb5_kt_add_entry(context,
207 DEBUG(1, (__location__ ": Failed to add entry to keytab\n"));
208 SAFE_FREE(salt_princ_s);
212 /* add the short principal name if we have one */
214 ret = smb_krb5_kt_add_entry(context,
224 DEBUG(1, (__location__
225 ": Failed to add short entry to keytab\n"));
226 SAFE_FREE(salt_princ_s);
230 SAFE_FREE(salt_princ_s);
237 krb5_kt_close(context, keytab);
240 krb5_free_context(context);
245 /**********************************************************************
246 Flushes all entries from the system keytab.
247 ***********************************************************************/
249 int ads_keytab_flush(ADS_STRUCT *ads)
251 krb5_error_code ret = 0;
252 krb5_context context = NULL;
253 krb5_keytab keytab = NULL;
257 initialize_krb5_error_table();
258 ret = krb5_init_context(&context);
260 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
261 error_message(ret)));
265 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
267 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
268 error_message(ret)));
272 kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
274 /* -1 indicates a failure */
275 DEBUG(1, (__location__ ": Error determining the kvno.\n"));
279 /* Seek and delete old keytab entries */
280 ret = smb_krb5_kt_seek_and_delete_old_entries(context,
291 aderr = ads_clear_service_principal_names(ads, lp_netbios_name());
292 if (!ADS_ERR_OK(aderr)) {
293 DEBUG(1, (__location__ ": Error while clearing service "
294 "principal listings in LDAP.\n"));
300 krb5_kt_close(context, keytab);
303 krb5_free_context(context);
308 /**********************************************************************
309 Adds all the required service principals to the system keytab.
310 ***********************************************************************/
312 int ads_keytab_create_default(ADS_STRUCT *ads)
314 krb5_error_code ret = 0;
315 krb5_context context = NULL;
316 krb5_keytab keytab = NULL;
317 krb5_kt_cursor cursor = {0};
318 krb5_keytab_entry kt_entry = {0};
321 char *sam_account_name, *upn;
322 char **oldEntries = NULL, *princ_s[26];
330 ZERO_STRUCT(kt_entry);
333 frame = talloc_stackframe();
339 status = ads_get_service_principal_names(frame,
344 if (!ADS_ERR_OK(status)) {
349 for (i = 0; i < num_spns; i++) {
353 srv_princ = strlower_talloc(frame, spn_array[i]);
354 if (srv_princ == NULL) {
359 p = strchr_m(srv_princ, '/');
365 /* Add the SPNs found on the DC */
366 ret = ads_keytab_add_entry(ads, srv_princ);
368 DEBUG(1, ("ads_keytab_add_entry failed while "
369 "adding '%s' principal.\n",
375 #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
376 really needs them and we will fall back to verifying against
379 ret = ads_keytab_add_entry(ads, "cifs"));
381 DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
382 "adding 'cifs'.\n"));
387 memset(princ_s, '\0', sizeof(princ_s));
389 initialize_krb5_error_table();
390 ret = krb5_init_context(&context);
392 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
393 error_message(ret)));
397 machine_name = talloc_strdup(frame, lp_netbios_name());
403 /* now add the userPrincipalName and sAMAccountName entries */
404 sam_account_name = ads_get_samaccountname(ads, frame, machine_name);
405 if (!sam_account_name) {
406 DEBUG(0, (__location__ ": unable to determine machine "
407 "account's name in AD!\n"));
412 /* upper case the sAMAccountName to make it easier for apps to
413 know what case to use in the keytab file */
414 if (!strupper_m(sam_account_name)) {
419 ret = ads_keytab_add_entry(ads, sam_account_name);
421 DEBUG(1, (__location__ ": ads_keytab_add_entry() failed "
422 "while adding sAMAccountName (%s)\n",
427 /* remember that not every machine account will have a upn */
428 upn = ads_get_upn(ads, frame, machine_name);
430 ret = ads_keytab_add_entry(ads, upn);
432 DEBUG(1, (__location__ ": ads_keytab_add_entry() "
433 "failed while adding UPN (%s)\n", upn));
438 /* Now loop through the keytab and update any other existing entries */
439 kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
440 if (kvno == (krb5_kvno)-1) {
441 DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
442 "determine the system's kvno.\n"));
446 DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
449 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
451 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
452 error_message(ret)));
456 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
457 if (ret != KRB5_KT_END && ret != ENOENT ) {
458 while ((ret = krb5_kt_next_entry(context, keytab,
459 &kt_entry, &cursor)) == 0) {
460 smb_krb5_kt_free_entry(context, &kt_entry);
461 ZERO_STRUCT(kt_entry);
465 krb5_kt_end_seq_get(context, keytab, &cursor);
469 * Hmmm. There is no "rewind" function for the keytab. This means we
470 * have a race condition where someone else could add entries after
471 * we've counted them. Re-open asap to minimise the race. JRA.
473 DEBUG(3, (__location__ ": Found %zd entries in the keytab.\n", found));
478 oldEntries = talloc_zero_array(frame, char *, found + 1);
480 DEBUG(1, (__location__ ": Failed to allocate space to store "
481 "the old keytab entries (talloc failed?).\n"));
486 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
487 if (ret == KRB5_KT_END || ret == ENOENT) {
488 krb5_kt_end_seq_get(context, keytab, &cursor);
493 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
494 if (kt_entry.vno != kvno) {
495 char *ktprinc = NULL;
498 /* This returns a malloc'ed string in ktprinc. */
499 ret = smb_krb5_unparse_name(oldEntries, context,
503 DEBUG(1, (__location__
504 ": smb_krb5_unparse_name failed "
505 "(%s)\n", error_message(ret)));
509 * From looking at the krb5 source they don't seem to
510 * take locale or mb strings into account.
511 * Maybe this is because they assume utf8 ?
512 * In this case we may need to convert from utf8 to
513 * mb charset here ? JRA.
515 p = strchr_m(ktprinc, '@');
520 p = strchr_m(ktprinc, '/');
524 for (i = 0; i < found; i++) {
525 if (!oldEntries[i]) {
526 oldEntries[i] = ktprinc;
529 if (!strcmp(oldEntries[i], ktprinc)) {
530 TALLOC_FREE(ktprinc);
535 TALLOC_FREE(ktprinc);
538 smb_krb5_kt_free_entry(context, &kt_entry);
539 ZERO_STRUCT(kt_entry);
541 krb5_kt_end_seq_get(context, keytab, &cursor);
545 for (i = 0; oldEntries[i]; i++) {
546 ret |= ads_keytab_add_entry(ads, oldEntries[i]);
547 TALLOC_FREE(oldEntries[i]);
551 TALLOC_FREE(oldEntries);
555 krb5_keytab_entry zero_kt_entry;
556 ZERO_STRUCT(zero_kt_entry);
557 if (memcmp(&zero_kt_entry, &kt_entry,
558 sizeof(krb5_keytab_entry))) {
559 smb_krb5_kt_free_entry(context, &kt_entry);
563 krb5_kt_cursor zero_csr;
564 ZERO_STRUCT(zero_csr);
565 if ((memcmp(&cursor, &zero_csr,
566 sizeof(krb5_kt_cursor)) != 0) && keytab) {
567 krb5_kt_end_seq_get(context, keytab, &cursor);
571 krb5_kt_close(context, keytab);
574 krb5_free_context(context);
579 #endif /* HAVE_ADS */
581 /**********************************************************************
583 ***********************************************************************/
585 int ads_keytab_list(const char *keytab_name)
587 krb5_error_code ret = 0;
588 krb5_context context = NULL;
589 krb5_keytab keytab = NULL;
590 krb5_kt_cursor cursor;
591 krb5_keytab_entry kt_entry;
593 ZERO_STRUCT(kt_entry);
596 initialize_krb5_error_table();
597 ret = krb5_init_context(&context);
599 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
600 error_message(ret)));
604 ret = smb_krb5_open_keytab(context, keytab_name, False, &keytab);
606 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
607 error_message(ret)));
611 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
617 printf("Vno Type Principal\n");
619 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
621 char *princ_s = NULL;
622 char *etype_s = NULL;
623 krb5_enctype enctype = 0;
625 ret = smb_krb5_unparse_name(talloc_tos(), context,
626 kt_entry.principal, &princ_s);
631 enctype = smb_get_enctype_from_kt_entry(&kt_entry);
633 ret = smb_krb5_enctype_to_string(context, enctype, &etype_s);
635 (asprintf(&etype_s, "UNKNOWN: %d\n", enctype) == -1)) {
636 TALLOC_FREE(princ_s);
640 printf("%3d %-43s %s\n", kt_entry.vno, etype_s, princ_s);
642 TALLOC_FREE(princ_s);
645 ret = smb_krb5_kt_free_entry(context, &kt_entry);
651 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
656 /* Ensure we don't double free. */
657 ZERO_STRUCT(kt_entry);
662 krb5_keytab_entry zero_kt_entry;
663 ZERO_STRUCT(zero_kt_entry);
664 if (memcmp(&zero_kt_entry, &kt_entry,
665 sizeof(krb5_keytab_entry))) {
666 smb_krb5_kt_free_entry(context, &kt_entry);
670 krb5_kt_cursor zero_csr;
671 ZERO_STRUCT(zero_csr);
672 if ((memcmp(&cursor, &zero_csr,
673 sizeof(krb5_kt_cursor)) != 0) && keytab) {
674 krb5_kt_end_seq_get(context, keytab, &cursor);
679 krb5_kt_close(context, keytab);
682 krb5_free_context(context);
687 #endif /* HAVE_KRB5 */