2 Unix SMB/CIFS implementation.
4 Kerberos utility functions
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "system/kerberos.h"
26 #include "auth/kerberos/kerberos.h"
27 #include "auth/kerberos/kerberos_srv_keytab.h"
29 static void keytab_principals_free(krb5_context context, krb5_principal *set)
32 for (i = 0; set[i] != NULL; i++) {
33 krb5_free_principal(context, set[i]);
37 static krb5_error_code principals_from_list(TALLOC_CTX *parent_ctx,
38 const char *samAccountName,
40 const char **SPNs, int num_SPNs,
42 krb5_principal **principals_out,
43 const char **error_string)
49 krb5_principal *principals = NULL;
50 tmp_ctx = talloc_new(parent_ctx);
52 *error_string = "Cannot allocate tmp_ctx";
57 *error_string = "Cannot have a kerberos secret in "
58 "secrets.ldb without a realm";
63 upper_realm = strupper_talloc(tmp_ctx, realm);
65 *error_string = "Cannot allocate full upper case realm";
70 principals = talloc_zero_array(tmp_ctx, krb5_principal,
71 num_SPNs ? (num_SPNs + 2) : 2);
73 for (i = 0; num_SPNs && i < num_SPNs; i++) {
74 ret = krb5_parse_name(context, SPNs[i], &principals[i]);
77 *error_string = smb_get_krb5_error_message(context, ret,
84 ret = krb5_make_principal(context, &principals[i],
85 upper_realm, samAccountName,
88 *error_string = smb_get_krb5_error_message(context, ret,
96 keytab_principals_free(context, principals);
98 *principals_out = talloc_steal(parent_ctx, principals);
100 talloc_free(tmp_ctx);
104 static krb5_error_code salt_principal(TALLOC_CTX *parent_ctx,
105 const char *samAccountName,
107 const char *saltPrincipal,
108 krb5_context context,
109 krb5_principal *salt_princ,
110 const char **error_string)
114 char *machine_username;
122 ret = krb5_parse_name(context, saltPrincipal, salt_princ);
124 *error_string = smb_get_krb5_error_message(
125 context, ret, parent_ctx);
130 if (!samAccountName) {
131 (*error_string) = "Cannot determine salt principal, no "
132 "saltPrincipal or samAccountName specified";
137 *error_string = "Cannot have a kerberos secret in "
138 "secrets.ldb without a realm";
142 tmp_ctx = talloc_new(parent_ctx);
144 *error_string = "Cannot allocate tmp_ctx";
148 machine_username = talloc_strdup(tmp_ctx, samAccountName);
149 if (!machine_username) {
150 *error_string = "Cannot duplicate samAccountName";
151 talloc_free(tmp_ctx);
155 if (machine_username[strlen(machine_username)-1] == '$') {
156 machine_username[strlen(machine_username)-1] = '\0';
159 lower_realm = strlower_talloc(tmp_ctx, realm);
161 *error_string = "Cannot allocate to lower case realm";
162 talloc_free(tmp_ctx);
166 upper_realm = strupper_talloc(tmp_ctx, realm);
168 *error_string = "Cannot allocate to upper case realm";
169 talloc_free(tmp_ctx);
173 salt_body = talloc_asprintf(tmp_ctx, "%s.%s",
174 machine_username, lower_realm);
176 *error_string = "Cannot form salt principal body";
177 talloc_free(tmp_ctx);
181 ret = krb5_make_principal(context, salt_princ, upper_realm,
182 "host", salt_body, NULL);
184 *error_string = smb_get_krb5_error_message(context,
188 talloc_free(tmp_ctx);
192 /* Translate between the Microsoft msDS-SupportedEncryptionTypes values
193 * and the IETF encryption type values */
194 static krb5_enctype ms_suptype_to_ietf_enctype(uint32_t enctype_bitmap)
196 switch (enctype_bitmap) {
198 return ENCTYPE_DES_CBC_CRC;
200 return ENCTYPE_DES_CBC_MD5;
201 case ENC_RC4_HMAC_MD5:
202 return ENCTYPE_ARCFOUR_HMAC_MD5;
203 case ENC_HMAC_SHA1_96_AES128:
204 return ENCTYPE_AES128_CTS_HMAC_SHA1_96;
205 case ENC_HMAC_SHA1_96_AES256:
206 return ENCTYPE_AES256_CTS_HMAC_SHA1_96;
212 /* Return an array of krb5_enctype values */
213 static krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
214 uint32_t enctype_bitmap,
215 krb5_enctype **enctypes)
217 unsigned int i, j = 0;
218 *enctypes = talloc_zero_array(mem_ctx, krb5_enctype,
219 (8 * sizeof(enctype_bitmap)) + 1);
223 for (i = 0; i < (8 * sizeof(enctype_bitmap)); i++) {
224 uint32_t bit_value = (1 << i) & enctype_bitmap;
225 if (bit_value & enctype_bitmap) {
226 (*enctypes)[j] = ms_suptype_to_ietf_enctype(bit_value);
227 if (!(*enctypes)[j]) {
237 static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
238 krb5_principal *principals,
239 krb5_principal salt_princ,
241 const char *password_s,
242 krb5_context context,
243 krb5_enctype *enctypes,
245 const char **error_string)
252 password.data = discard_const_p(char *, password_s);
253 password.length = strlen(password_s);
255 for (i = 0; enctypes[i]; i++) {
256 krb5_keytab_entry entry;
260 ret = create_kerberos_key_from_string_direct(context,
261 salt_princ, &password,
262 &entry.keyblock, enctypes[i]);
269 for (p = 0; principals[p]; p++) {
271 entry.principal = principals[p];
272 ret = krb5_kt_add_entry(context, keytab, &entry);
274 char *k5_error_string =
275 smb_get_krb5_error_message(context,
277 krb5_unparse_name(context,
278 principals[p], &unparsed);
279 *error_string = talloc_asprintf(parent_ctx,
280 "Failed to add enctype %d entry for "
281 "%s(kvno %d) to keytab: %s\n",
282 (int)enctypes[i], unparsed,
283 kvno, k5_error_string);
286 talloc_free(k5_error_string);
287 krb5_free_keyblock_contents(context,
292 DEBUG(5, ("Added key (kvno %d) to keytab (enctype %d)\n",
293 kvno, (int)enctypes[i]));
295 krb5_free_keyblock_contents(context, &entry.keyblock);
300 static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx,
301 const char *samAccountName,
303 const char *saltPrincipal,
305 const char *new_secret,
306 const char *old_secret,
307 uint32_t supp_enctypes,
308 krb5_principal *principals,
309 krb5_context context,
312 const char **error_string)
315 krb5_principal salt_princ = NULL;
316 krb5_enctype *enctypes;
320 /* There is no password here, so nothing to do */
324 mem_ctx = talloc_new(parent_ctx);
326 *error_string = "unable to allocate tmp_ctx for create_keytab";
330 /* The salt used to generate these entries may be different however,
332 ret = salt_principal(mem_ctx, samAccountName, realm, saltPrincipal,
333 context, &salt_princ, error_string);
335 talloc_free(mem_ctx);
339 ret = ms_suptypes_to_ietf_enctypes(mem_ctx, supp_enctypes, &enctypes);
341 *error_string = talloc_asprintf(parent_ctx,
342 "create_keytab: generating list of "
343 "encryption types failed (%s)\n",
344 smb_get_krb5_error_message(context,
349 ret = keytab_add_keys(mem_ctx, principals,
350 salt_princ, kvno, new_secret,
351 context, enctypes, keytab, error_string);
356 if (old_secret && add_old && kvno != 0) {
357 ret = keytab_add_keys(mem_ctx, principals,
358 salt_princ, kvno - 1, old_secret,
359 context, enctypes, keytab, error_string);
363 krb5_free_principal(context, salt_princ);
364 talloc_free(mem_ctx);
369 * Walk the keytab, looking for entries of this principal name,
370 * with KVNO other than current kvno -1.
372 * These entries are now stale,
373 * we only keep the current and previous entries around.
375 * Inspired by the code in Samba3 for 'use kerberos keytab'.
378 static krb5_error_code remove_old_entries(TALLOC_CTX *parent_ctx,
380 krb5_principal *principals,
381 bool delete_all_kvno,
382 krb5_context context,
384 bool *found_previous,
385 const char **error_string)
387 krb5_error_code ret, ret2;
388 krb5_kt_cursor cursor;
389 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
395 *found_previous = false;
397 /* for each entry in the keytab */
398 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
402 case HEIM_ERR_OPNOTSUPP:
405 /* no point enumerating if there isn't anything here */
406 talloc_free(mem_ctx);
409 *error_string = talloc_asprintf(parent_ctx,
410 "failed to open keytab for read of old entries: %s\n",
411 smb_get_krb5_error_message(context, ret, mem_ctx));
412 talloc_free(mem_ctx);
418 bool matched = false;
419 krb5_keytab_entry entry;
420 ret = krb5_kt_next_entry(context, keytab, &entry, &cursor);
424 for (i = 0; principals[i]; i++) {
425 /* if it matches our principal */
426 if (krb5_kt_compare(context, &entry,
427 principals[i], 0, 0)) {
435 * it wasn't the one we were looking for anyway */
436 krb5_kt_free_entry(context, &entry);
440 /* delete it, if it is not kvno -1 */
441 if (entry.vno != (kvno - 1 )) {
442 /* Release the enumeration. We are going to
443 * have to start this from the top again,
444 * because deletes during enumeration may not
445 * always be consistent.
447 * Also, the enumeration locks a FILE: keytab
450 krb5_kt_end_seq_get(context, keytab, &cursor);
452 ret = krb5_kt_remove_entry(context, keytab, &entry);
453 krb5_kt_free_entry(context, &entry);
455 /* Deleted: Restart from the top */
456 ret2 = krb5_kt_start_seq_get(context, keytab, &cursor);
458 krb5_kt_free_entry(context, &entry);
459 DEBUG(1, ("failed to restart enumeration of keytab: %s\n",
460 smb_get_krb5_error_message(context,
463 talloc_free(mem_ctx);
472 *found_previous = true;
475 /* Free the entry, we don't need it any more */
476 krb5_kt_free_entry(context, &entry);
478 krb5_kt_end_seq_get(context, keytab, &cursor);
488 *error_string = talloc_asprintf(parent_ctx,
489 "failed in deleting old entries for principal: %s\n",
490 smb_get_krb5_error_message(context, ret, mem_ctx));
492 talloc_free(mem_ctx);
496 krb5_error_code smb_krb5_update_keytab(TALLOC_CTX *parent_ctx,
497 krb5_context context,
498 const char *keytab_name,
499 const char *samAccountName,
503 const char *saltPrincipal,
504 const char *new_secret,
505 const char *old_secret,
507 uint32_t supp_enctypes,
508 bool delete_all_kvno,
509 krb5_keytab *_keytab,
510 const char **error_string)
516 krb5_principal *principals = NULL;
518 if (keytab_name == NULL) {
522 ret = krb5_kt_resolve(context, keytab_name, &keytab);
524 *error_string = smb_get_krb5_error_message(context,
529 DEBUG(5, ("Opened keytab %s\n", keytab_name));
531 tmp_ctx = talloc_new(parent_ctx);
536 /* Get the principal we will store the new keytab entries under */
537 ret = principals_from_list(tmp_ctx,
538 samAccountName, realm, SPNs, num_SPNs,
539 context, &principals, error_string);
542 *error_string = talloc_asprintf(parent_ctx,
543 "Failed to load principals from ldb message: %s\n",
548 ret = remove_old_entries(tmp_ctx, kvno, principals, delete_all_kvno,
549 context, keytab, &found_previous, error_string);
551 *error_string = talloc_asprintf(parent_ctx,
552 "Failed to remove old principals from keytab: %s\n",
557 if (!delete_all_kvno) {
558 /* Create a new keytab. If during the cleanout we found
559 * entires for kvno -1, then don't try and duplicate them.
560 * Otherwise, add kvno, and kvno -1 */
562 ret = create_keytab(tmp_ctx,
563 samAccountName, realm, saltPrincipal,
564 kvno, new_secret, old_secret,
565 supp_enctypes, principals,
567 found_previous ? false : true,
570 talloc_steal(parent_ctx, *error_string);
574 if (ret == 0 && _keytab != NULL) {
575 /* caller wants the keytab handle back */
580 keytab_principals_free(context, principals);
581 if (ret != 0 || _keytab == NULL) {
582 krb5_kt_close(context, keytab);
584 talloc_free(tmp_ctx);
588 krb5_error_code smb_krb5_create_memory_keytab(TALLOC_CTX *parent_ctx,
589 krb5_context context,
590 const char *new_secret,
591 const char *samAccountName,
595 const char **keytab_name)
598 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
599 const char *rand_string;
600 const char *error_string;
605 rand_string = generate_random_str(mem_ctx, 16);
607 talloc_free(mem_ctx);
611 *keytab_name = talloc_asprintf(mem_ctx, "MEMORY:%s", rand_string);
612 if (*keytab_name == NULL) {
613 talloc_free(mem_ctx);
618 ret = smb_krb5_update_keytab(mem_ctx, context,
619 *keytab_name, samAccountName, realm,
620 NULL, 0, NULL, new_secret, NULL,
622 false, keytab, &error_string);
624 talloc_steal(parent_ctx, *keytab_name);
626 DEBUG(0, ("Failed to create in-memory keytab: %s\n",
630 talloc_free(mem_ctx);