2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
13 This program is free software; you can redistribute it and/or modify
14 it under the terms of the GNU General Public License as published by
15 the Free Software Foundation; either version 2 of the License, or
16 (at your option) any later version.
18 This program is distributed in the hope that it will be useful,
19 but WITHOUT ANY WARRANTY; without even the implied warranty of
20 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 GNU General Public License for more details.
23 You should have received a copy of the GNU General Public License
24 along with this program; if not, write to the Free Software
25 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
32 /**********************************************************************
33 Converts a name to a fully qalified domain name.
34 ***********************************************************************/
36 void name_to_fqdn(fstring fqdn, const char *name)
38 struct hostent *hp = sys_gethostbyname(name);
39 if ( hp && hp->h_name && *hp->h_name ) {
40 DEBUG(10,("name_to_fqdn: lookup for %s -> %s.\n", name, hp->h_name));
41 fstrcpy(fqdn,hp->h_name);
43 DEBUG(10,("name_to_fqdn: lookup for %s failed.\n", name));
48 /**********************************************************************
49 Adds a single service principal, i.e. 'host' to the system keytab
50 ***********************************************************************/
52 int ads_keytab_add_entry(const char *srvPrinc, ADS_STRUCT *ads)
54 krb5_error_code ret = 0;
55 krb5_context context = NULL;
56 krb5_keytab keytab = NULL;
57 krb5_kt_cursor cursor = NULL;
58 krb5_keytab_entry kt_entry;
59 krb5_principal princ = NULL;
61 krb5_enctype *enctypes = NULL;
64 char *principal = NULL;
66 char *password_s = NULL;
67 char keytab_name[MAX_KEYTAB_NAME_LEN]; /* This MAX_NAME_LEN is a constant defined in krb5.h */
72 ZERO_STRUCT(kt_entry);
73 initialize_krb5_error_table();
74 ret = krb5_init_context(&context);
76 DEBUG(1,("ads_keytab_add_entry: could not krb5_init_context: %s\n",error_message(ret)));
79 #ifdef HAVE_WRFILE_KEYTAB /* MIT */
82 ret = krb5_kt_default_name(context, (char *) &keytab_name[2], MAX_KEYTAB_NAME_LEN - 4);
84 ret = krb5_kt_default_name(context, (char *) &keytab_name[0], MAX_KEYTAB_NAME_LEN - 2);
87 DEBUG(1,("ads_keytab_add_entry: krb5_kt_default_name failed (%s)\n", error_message(ret)));
90 DEBUG(2,("ads_keytab_add_entry: Using default system keytab: %s\n", (char *) &keytab_name));
91 ret = krb5_kt_resolve(context, (char *) &keytab_name, &keytab);
93 DEBUG(1,("ads_keytab_add_entry: krb5_kt_resolve failed (%s)\n", error_message(ret)));
97 /* retrieve the password */
98 if (!secrets_init()) {
99 DEBUG(1,("ads_keytab_add_entry: secrets_init failed\n"));
103 password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
105 DEBUG(1,("ads_keytab_add_entry: failed to fetch machine password\n"));
109 password.data = password_s;
110 password.length = strlen(password_s);
112 /* Construct our principal */
113 name_to_fqdn(my_fqdn, global_myname());
115 asprintf(&princ_s, "%s/%s@%s", srvPrinc, my_fqdn, lp_realm());
117 ret = krb5_parse_name(context, princ_s, &princ);
119 DEBUG(1,("ads_keytab_add_entry: krb5_parse_name(%s) failed (%s)\n", princ_s, error_message(ret)));
123 kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
124 if (kvno == -1) { /* -1 indicates failure, everything else is OK */
125 DEBUG(1,("ads_keytab_add_entry: ads_get_kvno failed to determine the system's kvno.\n"));
130 /* Seek and delete old keytab entries */
131 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
132 if (ret != KRB5_KT_END && ret != ENOENT ) {
133 DEBUG(3,("ads_keytab_add_entry: Will try to delete old keytab entries\n"));
134 while(!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
135 BOOL compare_ok = False;
137 ret = krb5_unparse_name(context, kt_entry.principal, &ktprinc);
139 DEBUG(1,("ads_keytab_add_entry: krb5_unparse_name failed (%s)\n", error_message(ret)));
143 /*---------------------------------------------------------------------------
144 * Save the entries with kvno - 1. This is what microsoft does
145 * to allow people with existing sessions that have kvno - 1 to still
146 * work. Otherwise, when the password for the machine changes, all
147 * kerberizied sessions will 'break' until either the client reboots or
148 * the client's session key expires and they get a new session ticket
152 #ifdef HAVE_KRB5_KT_COMPARE
153 compare_ok = ((krb5_kt_compare(context, &kt_entry, princ, 0, 0) == True) && (kt_entry.vno != kvno - 1));
155 compare_ok = ((strcmp(ktprinc, princ_s) == 0) && (kt_entry.vno != kvno - 1));
157 krb5_free_unparsed_name(context, ktprinc);
161 DEBUG(3,("ads_keytab_add_entry: Found old entry for principal: %s (kvno %d) - trying to remove it.\n",
162 princ_s, kt_entry.vno));
163 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
166 DEBUG(1,("ads_keytab_add_entry: krb5_kt_end_seq_get() failed (%s)\n",
167 error_message(ret)));
170 ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
172 DEBUG(1,("ads_keytab_add_entry: krb5_kt_remove_entry failed (%s)\n",
173 error_message(ret)));
176 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
178 DEBUG(1,("ads_keytab_add_entry: krb5_kt_start_seq failed (%s)\n",
179 error_message(ret)));
182 ret = krb5_free_keytab_entry_contents(context, &kt_entry);
183 ZERO_STRUCT(kt_entry);
185 DEBUG(1,("ads_keytab_add_entry: krb5_kt_remove_entry failed (%s)\n",
186 error_message(ret)));
192 /* Not a match, just free this entry and continue. */
193 ret = krb5_free_keytab_entry_contents(context, &kt_entry);
194 ZERO_STRUCT(kt_entry);
196 DEBUG(1,("ads_keytab_add_entry: krb5_free_keytab_entry_contents failed (%s)\n", error_message(ret)));
201 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
204 DEBUG(1,("ads_keytab_add_entry: krb5_kt_end_seq_get failed (%s)\n",error_message(ret)));
209 /* Ensure we don't double free. */
210 ZERO_STRUCT(kt_entry);
213 /* If we get here, we have deleted all the old entries with kvno's not equal to the current kvno-1. */
215 ret = get_kerberos_allowed_etypes(context,&enctypes);
217 DEBUG(1,("ads_keytab_add_entry: get_kerberos_allowed_etypes failed (%s)\n",error_message(ret)));
221 /* Now add keytab entries for all encryption types */
222 for (i = 0; enctypes[i]; i++) {
225 #if !defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) && !defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK)
226 #error krb5_keytab_entry has no key or keyblock member
228 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
229 keyp = &kt_entry.key;
231 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
232 keyp = &kt_entry.keyblock;
234 if (create_kerberos_key_from_string(context, princ, &password, keyp, enctypes[i])) {
238 kt_entry.principal = princ;
241 DEBUG(3,("ads_keytab_add_entry: adding keytab entry for (%s) with encryption type (%d) and version (%d)\n",
242 princ_s, enctypes[i], kt_entry.vno));
243 ret = krb5_kt_add_entry(context, keytab, &kt_entry);
244 krb5_free_keyblock(context, keyp);
245 ZERO_STRUCT(kt_entry);
247 DEBUG(1,("ads_keytab_add_entry: adding entry to keytab failed (%s)\n", error_message(ret)));
252 krb5_kt_close(context, keytab);
253 keytab = NULL; /* Done with keytab now. No double free. */
255 /* Update the LDAP with the SPN */
256 DEBUG(3,("ads_keytab_add_entry: Attempting to add/update '%s'\n", princ_s));
257 if (!ADS_ERR_OK(ads_add_spn(ads, global_myname(), srvPrinc))) {
258 DEBUG(1,("ads_keytab_add_entry: ads_add_spn failed.\n"));
264 SAFE_FREE(principal);
265 SAFE_FREE(password_s);
269 krb5_keytab_entry zero_kt_entry;
270 ZERO_STRUCT(zero_kt_entry);
271 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
272 krb5_free_keytab_entry_contents(context, &kt_entry);
276 krb5_free_principal(context, princ);
279 free_kerberos_etypes(context, enctypes);
281 if (cursor && keytab) {
282 krb5_kt_end_seq_get(context, keytab, &cursor);
285 krb5_kt_close(context, keytab);
288 krb5_free_context(context);
293 /**********************************************************************
294 Flushes all entries from the system keytab.
295 ***********************************************************************/
297 int ads_keytab_flush(ADS_STRUCT *ads)
299 krb5_error_code ret = 0;
300 krb5_context context = NULL;
301 krb5_keytab keytab = NULL;
302 krb5_kt_cursor cursor = NULL;
303 krb5_keytab_entry kt_entry;
305 char keytab_name[MAX_KEYTAB_NAME_LEN];
307 ZERO_STRUCT(kt_entry);
308 initialize_krb5_error_table();
309 ret = krb5_init_context(&context);
311 DEBUG(1,("ads_keytab_flush: could not krb5_init_context: %s\n",error_message(ret)));
314 #ifdef HAVE_WRFILE_KEYTAB
315 keytab_name[0] = 'W';
316 keytab_name[1] = 'R';
317 ret = krb5_kt_default_name(context, (char *) &keytab_name[2], MAX_KEYTAB_NAME_LEN - 4);
319 ret = krb5_kt_default_name(context, (char *) &keytab_name[0], MAX_KEYTAB_NAME_LEN - 2);
322 DEBUG(1,("ads_keytab_flush: krb5_kt_default failed (%s)\n", error_message(ret)));
325 DEBUG(3,("ads_keytab_flush: Using default keytab: %s\n", (char *) &keytab_name));
326 ret = krb5_kt_resolve(context, (char *) &keytab_name, &keytab);
328 DEBUG(1,("ads_keytab_flush: krb5_kt_default failed (%s)\n", error_message(ret)));
331 ret = krb5_kt_resolve(context, (char *) &keytab_name, &keytab);
333 DEBUG(1,("ads_keytab_flush: krb5_kt_default failed (%s)\n", error_message(ret)));
337 kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
338 if (kvno == -1) { /* -1 indicates a failure */
339 DEBUG(1,("ads_keytab_flush: Error determining the system's kvno.\n"));
343 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
344 if (ret != KRB5_KT_END && ret != ENOENT) {
345 while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
346 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
349 DEBUG(1,("ads_keytab_flush: krb5_kt_end_seq_get() failed (%s)\n",error_message(ret)));
352 ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
354 DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
357 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
359 DEBUG(1,("ads_keytab_flush: krb5_kt_start_seq failed (%s)\n",error_message(ret)));
362 ret = krb5_free_keytab_entry_contents(context, &kt_entry);
363 ZERO_STRUCT(kt_entry);
365 DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
371 /* Ensure we don't double free. */
372 ZERO_STRUCT(kt_entry);
375 if (!ADS_ERR_OK(ads_clear_spns(ads, global_myname()))) {
376 DEBUG(1,("ads_keytab_flush: Error while clearing service principal listings in LDAP.\n"));
383 krb5_keytab_entry zero_kt_entry;
384 ZERO_STRUCT(zero_kt_entry);
385 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
386 krb5_free_keytab_entry_contents(context, &kt_entry);
389 if (cursor && keytab) {
390 krb5_kt_end_seq_get(context, keytab, &cursor);
393 krb5_kt_close(context, keytab);
396 krb5_free_context(context);
401 /**********************************************************************
402 Adds all the required service principals to the system keytab.
403 ***********************************************************************/
405 int ads_keytab_create_default(ADS_STRUCT *ads)
407 krb5_error_code ret = 0;
408 krb5_context context = NULL;
409 krb5_keytab keytab = NULL;
410 krb5_kt_cursor cursor = NULL;
411 krb5_keytab_entry kt_entry;
414 char **oldEntries = NULL;
416 ret = ads_keytab_add_entry("host", ads);
418 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.\n"));
421 ret = ads_keytab_add_entry("cifs", ads);
423 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'cifs'.\n"));
427 kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
429 DEBUG(1,("ads_keytab_create_default: ads_get_kvno failed to determine the system's kvno.\n"));
433 DEBUG(3,("ads_keytab_create_default: Searching for keytab entries to preserve and update.\n"));
434 /* Now loop through the keytab and update any other existing entries... */
436 ZERO_STRUCT(kt_entry);
438 initialize_krb5_error_table();
439 ret = krb5_init_context(&context);
441 DEBUG(1,("ads_keytab_create_default: could not krb5_init_context: %s\n",error_message(ret)));
444 ret = krb5_kt_default(context, &keytab);
446 DEBUG(1,("ads_keytab_create_default: krb5_kt_default failed (%s)\n",error_message(ret)));
450 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
451 if (ret != KRB5_KT_END && ret != ENOENT ) {
452 while ((ret = krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) == 0) {
453 krb5_free_keytab_entry_contents(context, &kt_entry);
454 ZERO_STRUCT(kt_entry);
458 krb5_kt_end_seq_get(context, keytab, &cursor);
462 * Hmmm. There is no "rewind" function for the keytab. This means we have a race condition
463 * where someone else could add entries after we've counted them. Re-open asap to minimise
467 DEBUG(3, ("ads_keytab_create_default: Found %d entries in the keytab.\n", found));
471 oldEntries = (char **) malloc(found * sizeof(char *));
473 DEBUG(1,("ads_keytab_create_default: Failed to allocate space to store the old keytab entries (malloc failed?).\n"));
477 memset(oldEntries, '\0', found * sizeof(char *));
479 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
480 if (ret != KRB5_KT_END && ret != ENOENT ) {
481 while ((ret = krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) == 0) {
482 if (kt_entry.vno != kvno) {
483 char *ktprinc = NULL;
486 /* This returns a malloc'ed string in ktprinc. */
487 ret = krb5_unparse_name(context, kt_entry.principal, &ktprinc);
489 DEBUG(1,("krb5_unparse_name failed (%s)\n", error_message(ret)));
493 * From looking at the krb5 source they don't seem to take locale
494 * or mb strings into account. Maybe this is because they assume utf8 ?
495 * In this case we may need to convert from utf8 to mb charset here ? JRA.
497 p = strchr_m(ktprinc, '/');
501 for (i = 0; i < found; i++) {
502 if (!oldEntries[i]) {
503 oldEntries[i] = ktprinc;
506 if (!strcmp(oldEntries[i], ktprinc)) {
511 krb5_free_keytab_entry_contents(context, &kt_entry);
512 ZERO_STRUCT(kt_entry);
514 for (i = 0; oldEntries[i]; i++) {
515 ret |= ads_keytab_add_entry(oldEntries[i], ads);
516 krb5_free_unparsed_name(context, oldEntries[i]);
518 krb5_kt_end_seq_get(context, keytab, &cursor);
524 SAFE_FREE(oldEntries);
527 krb5_keytab_entry zero_kt_entry;
528 ZERO_STRUCT(zero_kt_entry);
529 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
530 krb5_free_keytab_entry_contents(context, &kt_entry);
533 if (cursor && keytab) {
534 krb5_kt_end_seq_get(context, keytab, &cursor);
537 krb5_kt_close(context, keytab);
540 krb5_free_context(context);
544 #endif /* HAVE_KRB5 */
git.samba.org / samba.git / blob