2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
13 This program is free software; you can redistribute it and/or modify
14 it under the terms of the GNU General Public License as published by
15 the Free Software Foundation; either version 2 of the License, or
16 (at your option) any later version.
18 This program is distributed in the hope that it will be useful,
19 but WITHOUT ANY WARRANTY; without even the implied warranty of
20 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 GNU General Public License for more details.
23 You should have received a copy of the GNU General Public License
24 along with this program; if not, write to the Free Software
25 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
32 /**********************************************************************
33 Converts a name to a fully qalified domain name.
34 ***********************************************************************/
36 void name_to_fqdn(fstring fqdn, const char *name)
38 struct hostent *hp = sys_gethostbyname(name);
39 if ( hp && hp->h_name && *hp->h_name ) {
40 DEBUG(10,("name_to_fqdn: lookup for %s -> %s.\n", name, hp->h_name));
41 fstrcpy(fqdn,hp->h_name);
43 DEBUG(10,("name_to_fqdn: lookup for %s failed.\n", name));
48 /**********************************************************************
49 Adds a single service principal, i.e. 'host' to the system keytab
50 ***********************************************************************/
52 int ads_keytab_add_entry(const char *srvPrinc, ADS_STRUCT *ads)
54 krb5_error_code ret = 0;
55 krb5_context context = NULL;
56 krb5_keytab keytab = NULL;
57 krb5_kt_cursor cursor = NULL;
58 krb5_keytab_entry kt_entry;
59 krb5_principal princ = NULL;
61 krb5_enctype *enctypes = NULL;
63 krb5_keyblock *key = NULL;
65 char *principal = NULL;
67 char *password_s = NULL;
68 char keytab_name[MAX_KEYTAB_NAME_LEN]; /* This MAX_NAME_LEN is a constant defined in krb5.h */
73 ZERO_STRUCT(kt_entry);
74 initialize_krb5_error_table();
75 ret = krb5_init_context(&context);
77 DEBUG(1,("ads_keytab_add_entry: could not krb5_init_context: %s\n",error_message(ret)));
80 #ifdef HAVE_WRFILE_KEYTAB /* MIT */
83 ret = krb5_kt_default_name(context, (char *) &keytab_name[2], MAX_KEYTAB_NAME_LEN - 4);
85 ret = krb5_kt_default_name(context, (char *) &keytab_name[0], MAX_KEYTAB_NAME_LEN - 2);
88 DEBUG(1,("ads_keytab_add_entry: krb5_kt_default_name failed (%s)\n", error_message(ret)));
91 DEBUG(2,("ads_keytab_add_entry: Using default system keytab: %s\n", (char *) &keytab_name));
92 ret = krb5_kt_resolve(context, (char *) &keytab_name, &keytab);
94 DEBUG(1,("ads_keytab_add_entry: krb5_kt_resolve failed (%s)\n", error_message(ret)));
98 ret = get_kerberos_allowed_etypes(context,&enctypes);
100 DEBUG(1,("ads_keytab_add_entry: get_kerberos_allowed_etypes failed (%s)\n",error_message(ret)));
104 /* retrieve the password */
105 if (!secrets_init()) {
106 DEBUG(1,("ads_keytab_add_entry: secrets_init failed\n"));
110 password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
112 DEBUG(1,("ads_keytab_add_entry: failed to fetch machine password\n"));
116 password.data = password_s;
117 password.length = strlen(password_s);
119 /* Construct our principal */
120 name_to_fqdn(my_fqdn, global_myname());
122 asprintf(&princ_s, "%s/%s@%s", srvPrinc, my_fqdn, lp_realm());
124 ret = krb5_parse_name(context, princ_s, &princ);
126 DEBUG(1,("ads_keytab_add_entry: krb5_parse_name(%s) failed (%s)\n", princ_s, error_message(ret)));
130 kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
131 if (kvno == -1) { /* -1 indicates failure, everything else is OK */
132 DEBUG(1,("ads_keytab_add_entry: ads_get_kvno failed to determine the system's kvno.\n"));
137 /* Seek and delete old keytab entries */
138 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
139 if (ret != KRB5_KT_END && ret != ENOENT ) {
140 DEBUG(3,("ads_keytab_add_entry: Will try to delete old keytab entries\n"));
141 while(!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
143 ret = krb5_unparse_name(context, entry.principal, &ktprinc);
145 DEBUG(1,("ads_keytab_add_entry: krb5_unparse_name failed (%s)\n", error_message(ret)));
149 /*---------------------------------------------------------------------------
150 * Save the entries with kvno - 1. This is what microsoft does
151 * to allow people with existing sessions that have kvno - 1 to still
152 * work. Otherwise, when the password for the machine changes, all
153 * kerberizied sessions will 'break' until either the client reboots or
154 * the client's session key expires and they get a new session ticket
160 #ifdef HAVE_KRB5_KT_COMPARE
161 if (krb5_kt_compare(context, &kt_entry, princ, 0, 0) == True && kt_entry.vno != kvno - 1) {
163 if (strcmp(ktprinc, princ_s) == 0 && kt_entry.vno != kvno - 1) {
166 DEBUG(1,("Found old entry for principal: %s (kvno %d) - trying to remove it.\n",
167 princ_s, entry.vno));
168 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
170 DEBUG(1,("krb5_kt_end_seq_get() failed (%s)\n", error_message(ret)));
173 ret = krb5_kt_remove_entry(context, keytab, &entry);
175 DEBUG(1,("krb5_kt_remove_entry failed (%s)\n", error_message(ret)));
178 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
180 DEBUG(1,("krb5_kt_start_seq failed (%s)\n", error_message(ret)));
183 ret = krb5_kt_free_entry(context, &entry);
185 DEBUG(1,("krb5_kt_remove_entry failed (%s)\n", error_message(ret)));
193 ret = krb5_kt_free_entry(context, &entry);
195 DEBUG(1,("krb5_kt_free_entry failed (%s)\n", error_message(ret)));
200 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
202 DEBUG(1,("krb5_kt_end_seq_get failed (%s)\n",error_message(ret)));
207 /* Add keytab entries for all encryption types */
208 for (i = 0; enctypes[i]; i++) {
210 key = (krb5_keyblock *) malloc(sizeof(*key));
212 DEBUG(1,("Failed to allocate memory to store the keyblock.\n"));
217 if (create_kerberos_key_from_string(context, princ, &password, key, enctypes[i])) {
221 entry.principal = princ;
224 #if !defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) && !defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK)
225 #error krb5_keytab_entry has no key or keyblock member
227 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
230 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
231 entry.keyblock = *key;
233 DEBUG(3,("adding keytab entry for (%s) with encryption type (%d) and version (%d)\n",
234 princ_s, enctypes[i], entry.vno));
235 ret = krb5_kt_add_entry(context, keytab, &entry);
236 krb5_free_keyblock(context, key);
238 DEBUG(1,("adding entry to keytab failed (%s)\n", error_message(ret)));
239 krb5_kt_close(context, keytab);
244 /* Update the LDAP with the SPN */
245 DEBUG(1,("Attempting to add/update '%s'\n", princ_s));
246 if (!ADS_ERR_OK(ads_add_spn(ads, global_myname(), srvPrinc))) {
247 DEBUG(1,("ads_add_spn failed.\n"));
253 SAFE_FREE(principal);
254 SAFE_FREE(password_s);
258 krb5_keytab_entry zero_kt_entry;
259 ZERO_STRUCT(zero_kt_entry);
260 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
261 krb5_kt_free_entry(context, &kt_entry);
265 krb5_free_principal(context, princ);
268 free_kerberos_etypes(context, enctypes);
270 if (cursor && keytab) {
271 krb5_kt_end_seq_get(context, keytab, &cursor);
274 krb5_kt_close(context, keytab);
277 krb5_free_context(context);
284 Flushes all entries from the system keytab.
286 int ads_keytab_flush(ADS_STRUCT *ads)
289 krb5_context context;
291 krb5_kt_cursor cursor;
292 krb5_keytab_entry entry;
294 char keytab_name[MAX_KEYTAB_NAME_LEN];
296 initialize_krb5_error_table();
297 ret = krb5_init_context(&context);
299 DEBUG(1,("could not krb5_init_context: %s\n",error_message(ret)));
302 #ifdef HAVE_WRFILE_KEYTAB
303 keytab_name[0] = 'W';
304 keytab_name[1] = 'R';
305 ret = krb5_kt_default_name(context, (char *) &keytab_name[2], MAX_KEYTAB_NAME_LEN - 4);
307 ret = krb5_kt_default_name(context, (char *) &keytab_name[0], MAX_KEYTAB_NAME_LEN - 2);
310 DEBUG(1,("krb5_kt_default failed (%s)\n", error_message(ret)));
313 DEBUG(1,("Using default keytab: %s\n", (char *) &keytab_name));
314 ret = krb5_kt_resolve(context, (char *) &keytab_name, &keytab);
316 DEBUG(1,("krb5_kt_default failed (%s)\n", error_message(ret)));
319 DEBUG(1,("Using default keytab: %s\n", (char *) &keytab_name));
320 ret = krb5_kt_resolve(context, (char *) &keytab_name, &keytab);
322 DEBUG(1,("krb5_kt_default failed (%s)\n", error_message(ret)));
326 kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
327 if (kvno == -1) { /* -1 indicates a failure */
328 DEBUG(1,("Error determining the system's kvno.\n"));
332 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
333 if (ret != KRB5_KT_END && ret != ENOENT) {
334 while (!krb5_kt_next_entry(context, keytab, &entry, &cursor)) {
335 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
337 DEBUG(1,("krb5_kt_end_seq_get() failed (%s)\n",error_message(ret)));
340 ret = krb5_kt_remove_entry(context, keytab, &entry);
342 DEBUG(1,("krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
345 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
347 DEBUG(1,("krb5_kt_start_seq failed (%s)\n",error_message(ret)));
350 ret = krb5_kt_free_entry(context, &entry);
352 DEBUG(1,("krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
357 if (!ADS_ERR_OK(ads_clear_spns(ads, global_myname()))) {
358 DEBUG(1,("Error while clearing service principal listings in LDAP.\n"));
364 krb5_kt_close(context, keytab);
369 int ads_keytab_create_default(ADS_STRUCT *ads)
372 krb5_context context;
374 krb5_kt_cursor cursor;
375 krb5_keytab_entry entry;
381 ret = ads_keytab_add_entry("host", ads);
383 DEBUG(1,("ads_keytab_add_entry failed while adding 'host'.\n"));
386 ret = ads_keytab_add_entry("cifs", ads);
388 DEBUG(1,("ads_keytab_add_entry failed while adding 'cifs'.\n"));
392 kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
394 DEBUG(1,("ads_get_kvno failed to determine the system's kvno.\n"));
398 DEBUG(1,("Searching for keytab entries to preserve and update.\n"));
399 /* Now loop through the keytab and update any other existing entries... */
400 initialize_krb5_error_table();
401 ret = krb5_init_context(&context);
403 DEBUG(1,("could not krb5_init_context: %s\n",error_message(ret)));
406 ret = krb5_kt_default(context, &keytab);
408 DEBUG(1,("krb5_kt_default failed (%s)\n",error_message(ret)));
412 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
413 if (ret != KRB5_KT_END && ret != ENOENT ) {
414 while ((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
419 DEBUG(1, ("Found %d entries in the keytab.\n", found));
423 oldEntries = (char **) malloc(found * sizeof(char *));
425 DEBUG(1,("Failed to allocate space to store the old keytab entries (malloc failed?).\n"));
428 memset(oldEntries, 0, found * sizeof(char *));
430 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
431 if (ret != KRB5_KT_END && ret != ENOENT ) {
432 while ((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
433 if (entry.vno != kvno) {
434 krb5_unparse_name(context, entry.principal, &ktprinc);
435 for (i = 0; *(ktprinc + i); i++) {
436 if (*(ktprinc + i) == '/') {
437 *(ktprinc + i) = (char) NULL;
441 for (i = 0; i < found; i++) {
442 if (!oldEntries[i]) {
443 oldEntries[i] = ktprinc;
446 if (!strcmp(oldEntries[i], ktprinc)) {
452 for (i = 0; oldEntries[i]; i++) {
453 ret |= ads_keytab_add_entry(oldEntries[i], ads);
461 krb5_kt_close(context, keytab);
464 #endif /* HAVE_KRB5 */