2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
12 Copyright (C) Gerald Carter 2006
14 This program is free software; you can redistribute it and/or modify
15 it under the terms of the GNU General Public License as published by
16 the Free Software Foundation; either version 3 of the License, or
17 (at your option) any later version.
19 This program is distributed in the hope that it will be useful,
20 but WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 GNU General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program. If not, see <http://www.gnu.org/licenses/>.
35 /**********************************************************************
36 **********************************************************************/
38 static krb5_error_code seek_and_delete_old_entries(krb5_context context,
44 bool keep_old_entries)
47 krb5_kt_cursor cursor;
48 krb5_kt_cursor zero_csr;
49 krb5_keytab_entry kt_entry;
50 krb5_keytab_entry zero_kt_entry;
52 krb5_kvno old_kvno = kvno - 1;
55 ZERO_STRUCT(zero_csr);
56 ZERO_STRUCT(kt_entry);
57 ZERO_STRUCT(zero_kt_entry);
59 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
60 if (ret == KRB5_KT_END || ret == ENOENT ) {
65 DEBUG(3, (__location__ ": Will try to delete old keytab entries\n"));
66 while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
69 if (!flush && (princ_s != NULL)) {
70 ret = smb_krb5_unparse_name(talloc_tos(), context,
74 DEBUG(1, (__location__
75 ": smb_krb5_unparse_name failed "
76 "(%s)\n", error_message(ret)));
80 #ifdef HAVE_KRB5_KT_COMPARE
81 name_ok = krb5_kt_compare(context, &kt_entry,
84 name_ok = (strcmp(ktprinc, princ_s) == 0);
88 DEBUG(10, (__location__ ": ignoring keytab "
89 "entry principal %s, kvno = %d\n",
90 ktprinc, kt_entry.vno));
93 * just free this entry and continue. */
94 ret = smb_krb5_kt_free_entry(context,
96 ZERO_STRUCT(kt_entry);
98 DEBUG(1, (__location__
99 ": smb_krb5_kt_free_entry "
101 error_message(ret)));
105 TALLOC_FREE(ktprinc);
109 TALLOC_FREE(ktprinc);
112 /*------------------------------------------------------------
113 * Save the entries with kvno - 1. This is what microsoft does
114 * to allow people with existing sessions that have kvno - 1
115 * to still work. Otherwise, when the password for the machine
116 * changes, all kerberizied sessions will 'break' until either
117 * the client reboots or the client's session key expires and
118 * they get a new session ticket with the new kvno.
119 * Some keytab files only store the kvno in 8bits, limit
120 * the compare accordingly.
123 if (!flush && ((kt_entry.vno & 0xff) == (old_kvno & 0xff))) {
124 DEBUG(5, (__location__ ": Saving previous (kvno %d) "
125 "entry for principal: %s.\n",
130 if (keep_old_entries) {
131 DEBUG(5, (__location__ ": Saving old (kvno %d) "
132 "entry for principal: %s.\n",
137 DEBUG(5, (__location__ ": Found old entry for principal: %s "
138 "(kvno %d) - trying to remove it.\n",
139 princ_s, kt_entry.vno));
141 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
144 DEBUG(1, (__location__ ": krb5_kt_end_seq_get() "
145 "failed (%s)\n", error_message(ret)));
148 ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
150 DEBUG(1, (__location__ ": krb5_kt_remove_entry() "
151 "failed (%s)\n", error_message(ret)));
155 DEBUG(5, (__location__ ": removed old entry for principal: "
156 "%s (kvno %d).\n", princ_s, kt_entry.vno));
158 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
160 DEBUG(1, (__location__ ": krb5_kt_start_seq() failed "
161 "(%s)\n", error_message(ret)));
164 ret = smb_krb5_kt_free_entry(context, &kt_entry);
165 ZERO_STRUCT(kt_entry);
167 DEBUG(1, (__location__ ": krb5_kt_remove_entry() "
168 "failed (%s)\n", error_message(ret)));
174 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
175 smb_krb5_kt_free_entry(context, &kt_entry);
178 if (memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) {
179 krb5_kt_end_seq_get(context, keytab, &cursor);
186 static int smb_krb5_kt_add_entry(krb5_context context,
190 krb5_enctype *enctypes,
193 bool keep_old_entries)
196 krb5_keytab_entry kt_entry;
197 krb5_principal princ = NULL;
200 ZERO_STRUCT(kt_entry);
202 ret = smb_krb5_parse_name(context, princ_s, &princ);
204 DEBUG(1, (__location__ ": smb_krb5_parse_name(%s) "
205 "failed (%s)\n", princ_s, error_message(ret)));
209 /* Seek and delete old keytab entries */
210 ret = seek_and_delete_old_entries(context, keytab, kvno,
211 princ_s, princ, false,
217 /* If we get here, we have deleted all the old entries with kvno's
218 * not equal to the current kvno-1. */
220 /* Now add keytab entries for all encryption types */
221 for (i = 0; enctypes[i]; i++) {
224 keyp = KRB5_KT_KEY(&kt_entry);
226 if (create_kerberos_key_from_string(context, princ,
228 enctypes[i], no_salt)) {
232 kt_entry.principal = princ;
235 DEBUG(3, (__location__ ": adding keytab entry for (%s) with "
236 "encryption type (%d) and version (%d)\n",
237 princ_s, enctypes[i], kt_entry.vno));
238 ret = krb5_kt_add_entry(context, keytab, &kt_entry);
239 krb5_free_keyblock_contents(context, keyp);
240 ZERO_STRUCT(kt_entry);
242 DEBUG(1, (__location__ ": adding entry to keytab "
243 "failed (%s)\n", error_message(ret)));
250 krb5_free_principal(context, princ);
258 /**********************************************************************
259 Adds a single service principal, i.e. 'host' to the system keytab
260 ***********************************************************************/
262 int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
264 krb5_error_code ret = 0;
265 krb5_context context = NULL;
266 krb5_keytab keytab = NULL;
269 krb5_enctype enctypes[6] = {
272 #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
273 ENCTYPE_AES128_CTS_HMAC_SHA1_96,
275 #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
276 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
278 ENCTYPE_ARCFOUR_HMAC,
281 char *princ_s = NULL;
282 char *short_princ_s = NULL;
283 char *password_s = NULL;
285 TALLOC_CTX *tmpctx = NULL;
289 initialize_krb5_error_table();
290 ret = krb5_init_context(&context);
292 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
293 error_message(ret)));
297 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
299 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
300 error_message(ret)));
304 /* retrieve the password */
305 if (!secrets_init()) {
306 DEBUG(1, (__location__ ": secrets_init failed\n"));
310 password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
312 DEBUG(1, (__location__ ": failed to fetch machine password\n"));
316 ZERO_STRUCT(password);
317 password.data = password_s;
318 password.length = strlen(password_s);
320 /* we need the dNSHostName value here */
321 tmpctx = talloc_init(__location__);
323 DEBUG(0, (__location__ ": talloc_init() failed!\n"));
328 my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
330 DEBUG(0, (__location__ ": unable to determine machine "
331 "account's dns name in AD!\n"));
336 machine_name = ads_get_samaccountname(ads, tmpctx, lp_netbios_name());
338 DEBUG(0, (__location__ ": unable to determine machine "
339 "account's short name in AD!\n"));
343 /*strip the trailing '$' */
344 machine_name[strlen(machine_name)-1] = '\0';
346 /* Construct our principal */
347 if (strchr_m(srvPrinc, '@')) {
348 /* It's a fully-named principal. */
349 princ_s = talloc_asprintf(tmpctx, "%s", srvPrinc);
354 } else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
355 /* It's the machine account, as used by smbclient clients. */
356 princ_s = talloc_asprintf(tmpctx, "%s@%s",
357 srvPrinc, lp_realm());
363 /* It's a normal service principal. Add the SPN now so that we
364 * can obtain credentials for it and double-check the salt value
365 * used to generate the service's keys. */
367 princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
368 srvPrinc, my_fqdn, lp_realm());
373 short_princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
374 srvPrinc, machine_name,
376 if (short_princ_s == NULL) {
381 /* According to http://support.microsoft.com/kb/326985/en-us,
382 certain principal names are automatically mapped to the
383 host/... principal in the AD account.
384 So only create these in the keytab, not in AD. --jerry */
386 if (!strequal(srvPrinc, "cifs") &&
387 !strequal(srvPrinc, "host")) {
388 DEBUG(3, (__location__ ": Attempting to add/update "
391 aderr = ads_add_service_principal_name(ads,
392 lp_netbios_name(), my_fqdn, srvPrinc);
393 if (!ADS_ERR_OK(aderr)) {
394 DEBUG(1, (__location__ ": failed to "
395 "ads_add_service_principal_name.\n"));
401 kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
403 /* -1 indicates failure, everything else is OK */
404 DEBUG(1, (__location__ ": ads_get_machine_kvno failed to "
405 "determine the system's kvno.\n"));
410 /* add the fqdn principal to the keytab */
411 ret = smb_krb5_kt_add_entry(context, keytab, kvno,
412 princ_s, enctypes, password,
415 DEBUG(1, (__location__ ": Failed to add entry to keytab\n"));
419 /* add the short principal name if we have one */
421 ret = smb_krb5_kt_add_entry(context, keytab, kvno,
422 short_princ_s, enctypes, password,
425 DEBUG(1, (__location__
426 ": Failed to add short entry to keytab\n"));
435 krb5_kt_close(context, keytab);
438 krb5_free_context(context);
443 /**********************************************************************
444 Flushes all entries from the system keytab.
445 ***********************************************************************/
447 int ads_keytab_flush(ADS_STRUCT *ads)
449 krb5_error_code ret = 0;
450 krb5_context context = NULL;
451 krb5_keytab keytab = NULL;
455 initialize_krb5_error_table();
456 ret = krb5_init_context(&context);
458 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
459 error_message(ret)));
463 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
465 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
466 error_message(ret)));
470 kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
472 /* -1 indicates a failure */
473 DEBUG(1, (__location__ ": Error determining the kvno.\n"));
477 /* Seek and delete old keytab entries */
478 ret = seek_and_delete_old_entries(context, keytab, kvno,
479 NULL, NULL, true, false);
484 aderr = ads_clear_service_principal_names(ads, lp_netbios_name());
485 if (!ADS_ERR_OK(aderr)) {
486 DEBUG(1, (__location__ ": Error while clearing service "
487 "principal listings in LDAP.\n"));
493 krb5_kt_close(context, keytab);
496 krb5_free_context(context);
501 /**********************************************************************
502 Adds all the required service principals to the system keytab.
503 ***********************************************************************/
505 int ads_keytab_create_default(ADS_STRUCT *ads)
507 krb5_error_code ret = 0;
508 krb5_context context = NULL;
509 krb5_keytab keytab = NULL;
510 krb5_kt_cursor cursor;
511 krb5_keytab_entry kt_entry;
514 char *sam_account_name, *upn;
515 char **oldEntries = NULL, *princ_s[26];
523 frame = talloc_stackframe();
529 status = ads_get_service_principal_names(frame,
534 if (!ADS_ERR_OK(status)) {
539 for (i = 0; i < num_spns; i++) {
543 srv_princ = strlower_talloc(frame, spn_array[i]);
544 if (srv_princ == NULL) {
549 p = strchr_m(srv_princ, '/');
555 /* Add the SPNs found on the DC */
556 ret = ads_keytab_add_entry(ads, srv_princ);
558 DEBUG(1, ("ads_keytab_add_entry failed while "
559 "adding '%s' principal.\n",
565 #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
566 really needs them and we will fall back to verifying against
569 ret = ads_keytab_add_entry(ads, "cifs"));
571 DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
572 "adding 'cifs'.\n"));
577 memset(princ_s, '\0', sizeof(princ_s));
578 ZERO_STRUCT(kt_entry);
581 initialize_krb5_error_table();
582 ret = krb5_init_context(&context);
584 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
585 error_message(ret)));
589 machine_name = talloc_strdup(frame, lp_netbios_name());
595 /* now add the userPrincipalName and sAMAccountName entries */
596 sam_account_name = ads_get_samaccountname(ads, frame, machine_name);
597 if (!sam_account_name) {
598 DEBUG(0, (__location__ ": unable to determine machine "
599 "account's name in AD!\n"));
604 /* upper case the sAMAccountName to make it easier for apps to
605 know what case to use in the keytab file */
606 if (!strupper_m(sam_account_name)) {
611 ret = ads_keytab_add_entry(ads, sam_account_name);
613 DEBUG(1, (__location__ ": ads_keytab_add_entry() failed "
614 "while adding sAMAccountName (%s)\n",
619 /* remember that not every machine account will have a upn */
620 upn = ads_get_upn(ads, frame, machine_name);
622 ret = ads_keytab_add_entry(ads, upn);
624 DEBUG(1, (__location__ ": ads_keytab_add_entry() "
625 "failed while adding UPN (%s)\n", upn));
630 /* Now loop through the keytab and update any other existing entries */
631 kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
632 if (kvno == (krb5_kvno)-1) {
633 DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
634 "determine the system's kvno.\n"));
638 DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
641 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
643 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
644 error_message(ret)));
648 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
649 if (ret != KRB5_KT_END && ret != ENOENT ) {
650 while ((ret = krb5_kt_next_entry(context, keytab,
651 &kt_entry, &cursor)) == 0) {
652 smb_krb5_kt_free_entry(context, &kt_entry);
653 ZERO_STRUCT(kt_entry);
657 krb5_kt_end_seq_get(context, keytab, &cursor);
661 * Hmmm. There is no "rewind" function for the keytab. This means we
662 * have a race condition where someone else could add entries after
663 * we've counted them. Re-open asap to minimise the race. JRA.
665 DEBUG(3, (__location__ ": Found %zd entries in the keytab.\n", found));
670 oldEntries = talloc_array(frame, char *, found);
672 DEBUG(1, (__location__ ": Failed to allocate space to store "
673 "the old keytab entries (talloc failed?).\n"));
677 memset(oldEntries, '\0', found * sizeof(char *));
679 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
680 if (ret == KRB5_KT_END || ret == ENOENT) {
681 krb5_kt_end_seq_get(context, keytab, &cursor);
686 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
687 if (kt_entry.vno != kvno) {
688 char *ktprinc = NULL;
691 /* This returns a malloc'ed string in ktprinc. */
692 ret = smb_krb5_unparse_name(oldEntries, context,
696 DEBUG(1, (__location__
697 ": smb_krb5_unparse_name failed "
698 "(%s)\n", error_message(ret)));
702 * From looking at the krb5 source they don't seem to
703 * take locale or mb strings into account.
704 * Maybe this is because they assume utf8 ?
705 * In this case we may need to convert from utf8 to
706 * mb charset here ? JRA.
708 p = strchr_m(ktprinc, '@');
713 p = strchr_m(ktprinc, '/');
717 for (i = 0; i < found; i++) {
718 if (!oldEntries[i]) {
719 oldEntries[i] = ktprinc;
722 if (!strcmp(oldEntries[i], ktprinc)) {
723 TALLOC_FREE(ktprinc);
728 TALLOC_FREE(ktprinc);
731 smb_krb5_kt_free_entry(context, &kt_entry);
732 ZERO_STRUCT(kt_entry);
735 for (i = 0; oldEntries[i]; i++) {
736 ret |= ads_keytab_add_entry(ads, oldEntries[i]);
737 TALLOC_FREE(oldEntries[i]);
739 krb5_kt_end_seq_get(context, keytab, &cursor);
743 TALLOC_FREE(oldEntries);
747 krb5_keytab_entry zero_kt_entry;
748 ZERO_STRUCT(zero_kt_entry);
749 if (memcmp(&zero_kt_entry, &kt_entry,
750 sizeof(krb5_keytab_entry))) {
751 smb_krb5_kt_free_entry(context, &kt_entry);
755 krb5_kt_cursor zero_csr;
756 ZERO_STRUCT(zero_csr);
757 if ((memcmp(&cursor, &zero_csr,
758 sizeof(krb5_kt_cursor)) != 0) && keytab) {
759 krb5_kt_end_seq_get(context, keytab, &cursor);
763 krb5_kt_close(context, keytab);
766 krb5_free_context(context);
771 #endif /* HAVE_ADS */
773 /**********************************************************************
775 ***********************************************************************/
777 int ads_keytab_list(const char *keytab_name)
779 krb5_error_code ret = 0;
780 krb5_context context = NULL;
781 krb5_keytab keytab = NULL;
782 krb5_kt_cursor cursor;
783 krb5_keytab_entry kt_entry;
785 ZERO_STRUCT(kt_entry);
788 initialize_krb5_error_table();
789 ret = krb5_init_context(&context);
791 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
792 error_message(ret)));
796 ret = smb_krb5_open_keytab(context, keytab_name, False, &keytab);
798 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
799 error_message(ret)));
803 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
809 printf("Vno Type Principal\n");
811 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
813 char *princ_s = NULL;
814 char *etype_s = NULL;
815 krb5_enctype enctype = 0;
817 ret = smb_krb5_unparse_name(talloc_tos(), context,
818 kt_entry.principal, &princ_s);
823 enctype = smb_get_enctype_from_kt_entry(&kt_entry);
825 ret = smb_krb5_enctype_to_string(context, enctype, &etype_s);
827 (asprintf(&etype_s, "UNKNOWN: %d\n", enctype) == -1)) {
828 TALLOC_FREE(princ_s);
832 printf("%3d %-43s %s\n", kt_entry.vno, etype_s, princ_s);
834 TALLOC_FREE(princ_s);
837 ret = smb_krb5_kt_free_entry(context, &kt_entry);
843 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
848 /* Ensure we don't double free. */
849 ZERO_STRUCT(kt_entry);
854 krb5_keytab_entry zero_kt_entry;
855 ZERO_STRUCT(zero_kt_entry);
856 if (memcmp(&zero_kt_entry, &kt_entry,
857 sizeof(krb5_keytab_entry))) {
858 smb_krb5_kt_free_entry(context, &kt_entry);
862 krb5_kt_cursor zero_csr;
863 ZERO_STRUCT(zero_csr);
864 if ((memcmp(&cursor, &zero_csr,
865 sizeof(krb5_kt_cursor)) != 0) && keytab) {
866 krb5_kt_end_seq_get(context, keytab, &cursor);
871 krb5_kt_close(context, keytab);
874 krb5_free_context(context);
879 #endif /* HAVE_KRB5 */
git.samba.org / samba.git / blob