2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
12 Copyright (C) Gerald Carter 2006
14 This program is free software; you can redistribute it and/or modify
15 it under the terms of the GNU General Public License as published by
16 the Free Software Foundation; either version 3 of the License, or
17 (at your option) any later version.
19 This program is distributed in the hope that it will be useful,
20 but WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 GNU General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program. If not, see <http://www.gnu.org/licenses/>.
32 /**********************************************************************
33 **********************************************************************/
35 int smb_krb5_kt_add_entry_ext(krb5_context context,
39 krb5_enctype *enctypes,
42 bool keep_old_entries)
44 krb5_error_code ret = 0;
45 krb5_kt_cursor cursor;
46 krb5_keytab_entry kt_entry;
47 krb5_principal princ = NULL;
51 ZERO_STRUCT(kt_entry);
54 ret = smb_krb5_parse_name(context, princ_s, &princ);
56 DEBUG(1,("smb_krb5_kt_add_entry_ext: smb_krb5_parse_name(%s) failed (%s)\n", princ_s, error_message(ret)));
60 /* Seek and delete old keytab entries */
61 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
62 if (ret != KRB5_KT_END && ret != ENOENT ) {
63 DEBUG(3,("smb_krb5_kt_add_entry_ext: Will try to delete old keytab entries\n"));
64 while(!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
65 bool compare_name_ok = False;
67 ret = smb_krb5_unparse_name(context, kt_entry.principal, &ktprinc);
69 DEBUG(1,("smb_krb5_kt_add_entry_ext: smb_krb5_unparse_name failed (%s)\n",
74 /*---------------------------------------------------------------------------
75 * Save the entries with kvno - 1. This is what microsoft does
76 * to allow people with existing sessions that have kvno - 1 to still
77 * work. Otherwise, when the password for the machine changes, all
78 * kerberizied sessions will 'break' until either the client reboots or
79 * the client's session key expires and they get a new session ticket
83 #ifdef HAVE_KRB5_KT_COMPARE
84 compare_name_ok = (krb5_kt_compare(context, &kt_entry, princ, 0, 0) == True);
86 compare_name_ok = (strcmp(ktprinc, princ_s) == 0);
89 if (!compare_name_ok) {
90 DEBUG(10,("smb_krb5_kt_add_entry_ext: ignoring keytab entry principal %s, kvno = %d\n",
91 ktprinc, kt_entry.vno));
96 if (compare_name_ok) {
97 if (kt_entry.vno == kvno - 1) {
98 DEBUG(5,("smb_krb5_kt_add_entry_ext: Saving previous (kvno %d) entry for principal: %s.\n",
100 } else if (!keep_old_entries) {
101 DEBUG(5,("smb_krb5_kt_add_entry_ext: Found old entry for principal: %s (kvno %d) - trying to remove it.\n",
102 princ_s, kt_entry.vno));
103 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
106 DEBUG(1,("smb_krb5_kt_add_entry_ext: krb5_kt_end_seq_get() failed (%s)\n",
107 error_message(ret)));
110 ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
112 DEBUG(1,("smb_krb5_kt_add_entry_ext: krb5_kt_remove_entry failed (%s)\n",
113 error_message(ret)));
117 DEBUG(5,("smb_krb5_kt_add_entry_ext: removed old entry for principal: %s (kvno %d).\n",
118 princ_s, kt_entry.vno));
120 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
122 DEBUG(1,("smb_krb5_kt_add_entry_ext: krb5_kt_start_seq failed (%s)\n",
123 error_message(ret)));
126 ret = smb_krb5_kt_free_entry(context, &kt_entry);
127 ZERO_STRUCT(kt_entry);
129 DEBUG(1,("smb_krb5_kt_add_entry_ext: krb5_kt_remove_entry failed (%s)\n",
130 error_message(ret)));
137 /* Not a match, just free this entry and continue. */
138 ret = smb_krb5_kt_free_entry(context, &kt_entry);
139 ZERO_STRUCT(kt_entry);
141 DEBUG(1,("smb_krb5_kt_add_entry_ext: smb_krb5_kt_free_entry failed (%s)\n", error_message(ret)));
146 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
149 DEBUG(1,("smb_krb5_kt_add_entry_ext: krb5_kt_end_seq_get failed (%s)\n",error_message(ret)));
154 /* Ensure we don't double free. */
155 ZERO_STRUCT(kt_entry);
158 /* If we get here, we have deleted all the old entries with kvno's not equal to the current kvno-1. */
160 /* Now add keytab entries for all encryption types */
161 for (i = 0; enctypes[i]; i++) {
164 #if !defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) && !defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK)
165 #error krb5_keytab_entry has no key or keyblock member
167 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
168 keyp = &kt_entry.key;
170 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
171 keyp = &kt_entry.keyblock;
173 if (create_kerberos_key_from_string(context, princ, &password, keyp, enctypes[i], no_salt)) {
177 kt_entry.principal = princ;
180 DEBUG(3,("smb_krb5_kt_add_entry_ext: adding keytab entry for (%s) with encryption type (%d) and version (%d)\n",
181 princ_s, enctypes[i], kt_entry.vno));
182 ret = krb5_kt_add_entry(context, keytab, &kt_entry);
183 krb5_free_keyblock_contents(context, keyp);
184 ZERO_STRUCT(kt_entry);
186 DEBUG(1,("smb_krb5_kt_add_entry_ext: adding entry to keytab failed (%s)\n", error_message(ret)));
194 krb5_keytab_entry zero_kt_entry;
195 ZERO_STRUCT(zero_kt_entry);
196 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
197 smb_krb5_kt_free_entry(context, &kt_entry);
201 krb5_free_principal(context, princ);
205 krb5_kt_cursor zero_csr;
206 ZERO_STRUCT(zero_csr);
207 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
208 krb5_kt_end_seq_get(context, keytab, &cursor);
215 static int smb_krb5_kt_add_entry(krb5_context context,
219 krb5_enctype *enctypes,
222 return smb_krb5_kt_add_entry_ext(context,
232 /**********************************************************************
233 Adds a single service principal, i.e. 'host' to the system keytab
234 ***********************************************************************/
236 int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
238 krb5_error_code ret = 0;
239 krb5_context context = NULL;
240 krb5_keytab keytab = NULL;
243 krb5_enctype enctypes[4] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, 0, 0 };
244 char *princ_s = NULL, *short_princ_s = NULL;
245 char *password_s = NULL;
247 TALLOC_CTX *ctx = NULL;
250 #if defined(ENCTYPE_ARCFOUR_HMAC)
251 enctypes[2] = ENCTYPE_ARCFOUR_HMAC;
254 initialize_krb5_error_table();
255 ret = krb5_init_context(&context);
257 DEBUG(1,("ads_keytab_add_entry: could not krb5_init_context: %s\n",error_message(ret)));
261 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
263 DEBUG(1,("ads_keytab_add_entry: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
267 /* retrieve the password */
268 if (!secrets_init()) {
269 DEBUG(1,("ads_keytab_add_entry: secrets_init failed\n"));
273 password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
275 DEBUG(1,("ads_keytab_add_entry: failed to fetch machine password\n"));
279 password.data = password_s;
280 password.length = strlen(password_s);
282 /* we need the dNSHostName value here */
284 if ( (ctx = talloc_init("ads_keytab_add_entry")) == NULL ) {
285 DEBUG(0,("ads_keytab_add_entry: talloc() failed!\n"));
290 if ( (my_fqdn = ads_get_dnshostname( ads, ctx, global_myname())) == NULL ) {
291 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's dns name in AD!\n"));
296 if ( (machine_name = ads_get_samaccountname( ads, ctx, global_myname())) == NULL ) {
297 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's short name in AD!\n"));
301 /*strip the trailing '$' */
302 machine_name[strlen(machine_name)-1] = '\0';
304 /* Construct our principal */
306 if (strchr_m(srvPrinc, '@')) {
307 /* It's a fully-named principal. */
308 asprintf(&princ_s, "%s", srvPrinc);
309 } else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
310 /* It's the machine account, as used by smbclient clients. */
311 asprintf(&princ_s, "%s@%s", srvPrinc, lp_realm());
313 /* It's a normal service principal. Add the SPN now so that we
314 * can obtain credentials for it and double-check the salt value
315 * used to generate the service's keys. */
317 asprintf(&princ_s, "%s/%s@%s", srvPrinc, my_fqdn, lp_realm());
318 asprintf(&short_princ_s, "%s/%s@%s", srvPrinc, machine_name, lp_realm());
320 /* According to http://support.microsoft.com/kb/326985/en-us,
321 certain principal names are automatically mapped to the host/...
322 principal in the AD account. So only create these in the
323 keytab, not in AD. --jerry */
325 if ( !strequal( srvPrinc, "cifs" ) && !strequal(srvPrinc, "host" ) ) {
326 DEBUG(3,("ads_keytab_add_entry: Attempting to add/update '%s'\n", princ_s));
328 if (!ADS_ERR_OK(ads_add_service_principal_name(ads, global_myname(), my_fqdn, srvPrinc))) {
329 DEBUG(1,("ads_keytab_add_entry: ads_add_service_principal_name failed.\n"));
335 kvno = (krb5_kvno) ads_get_machine_kvno(ads, global_myname());
336 if (kvno == -1) { /* -1 indicates failure, everything else is OK */
337 DEBUG(1,("ads_keytab_add_entry: ads_get_machine_kvno failed to determine the system's kvno.\n"));
342 /* add the fqdn principal to the keytab */
344 ret = smb_krb5_kt_add_entry( context, keytab, kvno, princ_s, enctypes, password );
346 DEBUG(1,("ads_keytab_add_entry: Failed to add entry to keytab file\n"));
350 /* add the short principal name if we have one */
352 if ( short_princ_s ) {
353 ret = smb_krb5_kt_add_entry( context, keytab, kvno, short_princ_s, enctypes, password );
355 DEBUG(1,("ads_keytab_add_entry: Failed to add short entry to keytab file\n"));
361 SAFE_FREE( princ_s );
362 SAFE_FREE( short_princ_s );
366 krb5_kt_close(context, keytab);
369 krb5_free_context(context);
374 /**********************************************************************
375 Flushes all entries from the system keytab.
376 ***********************************************************************/
378 int ads_keytab_flush(ADS_STRUCT *ads)
380 krb5_error_code ret = 0;
381 krb5_context context = NULL;
382 krb5_keytab keytab = NULL;
383 krb5_kt_cursor cursor;
384 krb5_keytab_entry kt_entry;
387 ZERO_STRUCT(kt_entry);
390 initialize_krb5_error_table();
391 ret = krb5_init_context(&context);
393 DEBUG(1,("ads_keytab_flush: could not krb5_init_context: %s\n",error_message(ret)));
397 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
399 DEBUG(1,("ads_keytab_flush: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
403 kvno = (krb5_kvno) ads_get_machine_kvno(ads, global_myname());
404 if (kvno == -1) { /* -1 indicates a failure */
405 DEBUG(1,("ads_keytab_flush: Error determining the system's kvno.\n"));
409 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
410 if (ret != KRB5_KT_END && ret != ENOENT) {
411 while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
412 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
415 DEBUG(1,("ads_keytab_flush: krb5_kt_end_seq_get() failed (%s)\n",error_message(ret)));
418 ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
420 DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
423 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
425 DEBUG(1,("ads_keytab_flush: krb5_kt_start_seq failed (%s)\n",error_message(ret)));
428 ret = smb_krb5_kt_free_entry(context, &kt_entry);
429 ZERO_STRUCT(kt_entry);
431 DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
437 /* Ensure we don't double free. */
438 ZERO_STRUCT(kt_entry);
441 if (!ADS_ERR_OK(ads_clear_service_principal_names(ads, global_myname()))) {
442 DEBUG(1,("ads_keytab_flush: Error while clearing service principal listings in LDAP.\n"));
449 krb5_keytab_entry zero_kt_entry;
450 ZERO_STRUCT(zero_kt_entry);
451 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
452 smb_krb5_kt_free_entry(context, &kt_entry);
456 krb5_kt_cursor zero_csr;
457 ZERO_STRUCT(zero_csr);
458 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
459 krb5_kt_end_seq_get(context, keytab, &cursor);
463 krb5_kt_close(context, keytab);
466 krb5_free_context(context);
471 /**********************************************************************
472 Adds all the required service principals to the system keytab.
473 ***********************************************************************/
475 int ads_keytab_create_default(ADS_STRUCT *ads)
477 krb5_error_code ret = 0;
478 krb5_context context = NULL;
479 krb5_keytab keytab = NULL;
480 krb5_kt_cursor cursor;
481 krb5_keytab_entry kt_entry;
484 char *sam_account_name, *upn;
485 char **oldEntries = NULL, *princ_s[26];
486 TALLOC_CTX *ctx = NULL;
487 fstring machine_name;
489 memset(princ_s, '\0', sizeof(princ_s));
491 fstrcpy( machine_name, global_myname() );
493 /* these are the main ones we need */
495 if ( (ret = ads_keytab_add_entry(ads, "host") ) != 0 ) {
496 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.\n"));
501 #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
502 really needs them and we will fall back to verifying against secrets.tdb */
504 if ( (ret = ads_keytab_add_entry(ads, "cifs")) != 0 ) {
505 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'cifs'.\n"));
510 if ( (ctx = talloc_init("ads_keytab_create_default")) == NULL ) {
511 DEBUG(0,("ads_keytab_create_default: talloc() failed!\n"));
515 /* now add the userPrincipalName and sAMAccountName entries */
517 if ( (sam_account_name = ads_get_samaccountname( ads, ctx, machine_name)) == NULL ) {
518 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's name in AD!\n"));
523 /* upper case the sAMAccountName to make it easier for apps to
524 know what case to use in the keytab file */
526 strupper_m( sam_account_name );
528 if ( (ret = ads_keytab_add_entry(ads, sam_account_name )) != 0 ) {
529 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding sAMAccountName (%s)\n",
534 /* remember that not every machine account will have a upn */
536 upn = ads_get_upn( ads, ctx, machine_name);
538 if ( (ret = ads_keytab_add_entry(ads, upn)) != 0 ) {
539 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding UPN (%s)\n",
548 /* Now loop through the keytab and update any other existing entries... */
550 kvno = (krb5_kvno) ads_get_machine_kvno(ads, machine_name);
552 DEBUG(1,("ads_keytab_create_default: ads_get_machine_kvno failed to determine the system's kvno.\n"));
556 DEBUG(3,("ads_keytab_create_default: Searching for keytab entries to "
557 "preserve and update.\n"));
559 ZERO_STRUCT(kt_entry);
562 initialize_krb5_error_table();
563 ret = krb5_init_context(&context);
565 DEBUG(1,("ads_keytab_create_default: could not krb5_init_context: %s\n",error_message(ret)));
569 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
571 DEBUG(1,("ads_keytab_create_default: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
575 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
576 if (ret != KRB5_KT_END && ret != ENOENT ) {
577 while ((ret = krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) == 0) {
578 smb_krb5_kt_free_entry(context, &kt_entry);
579 ZERO_STRUCT(kt_entry);
583 krb5_kt_end_seq_get(context, keytab, &cursor);
587 * Hmmm. There is no "rewind" function for the keytab. This means we have a race condition
588 * where someone else could add entries after we've counted them. Re-open asap to minimise
592 DEBUG(3, ("ads_keytab_create_default: Found %d entries in the keytab.\n", found));
596 oldEntries = SMB_MALLOC_ARRAY(char *, found );
598 DEBUG(1,("ads_keytab_create_default: Failed to allocate space to store the old keytab entries (malloc failed?).\n"));
602 memset(oldEntries, '\0', found * sizeof(char *));
604 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
605 if (ret != KRB5_KT_END && ret != ENOENT ) {
606 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
607 if (kt_entry.vno != kvno) {
608 char *ktprinc = NULL;
611 /* This returns a malloc'ed string in ktprinc. */
612 ret = smb_krb5_unparse_name(context, kt_entry.principal, &ktprinc);
614 DEBUG(1,("smb_krb5_unparse_name failed (%s)\n", error_message(ret)));
618 * From looking at the krb5 source they don't seem to take locale
619 * or mb strings into account. Maybe this is because they assume utf8 ?
620 * In this case we may need to convert from utf8 to mb charset here ? JRA.
622 p = strchr_m(ktprinc, '@');
627 p = strchr_m(ktprinc, '/');
631 for (i = 0; i < found; i++) {
632 if (!oldEntries[i]) {
633 oldEntries[i] = ktprinc;
636 if (!strcmp(oldEntries[i], ktprinc)) {
645 smb_krb5_kt_free_entry(context, &kt_entry);
646 ZERO_STRUCT(kt_entry);
649 for (i = 0; oldEntries[i]; i++) {
650 ret |= ads_keytab_add_entry(ads, oldEntries[i]);
651 SAFE_FREE(oldEntries[i]);
653 krb5_kt_end_seq_get(context, keytab, &cursor);
659 SAFE_FREE(oldEntries);
662 krb5_keytab_entry zero_kt_entry;
663 ZERO_STRUCT(zero_kt_entry);
664 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
665 smb_krb5_kt_free_entry(context, &kt_entry);
669 krb5_kt_cursor zero_csr;
670 ZERO_STRUCT(zero_csr);
671 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
672 krb5_kt_end_seq_get(context, keytab, &cursor);
676 krb5_kt_close(context, keytab);
679 krb5_free_context(context);
684 /**********************************************************************
686 ***********************************************************************/
688 int ads_keytab_list(const char *keytab_name)
690 krb5_error_code ret = 0;
691 krb5_context context = NULL;
692 krb5_keytab keytab = NULL;
693 krb5_kt_cursor cursor;
694 krb5_keytab_entry kt_entry;
696 ZERO_STRUCT(kt_entry);
699 initialize_krb5_error_table();
700 ret = krb5_init_context(&context);
702 DEBUG(1,("ads_keytab_list: could not krb5_init_context: %s\n",error_message(ret)));
706 ret = smb_krb5_open_keytab(context, keytab_name, False, &keytab);
708 DEBUG(1,("ads_keytab_list: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
712 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
717 printf("Vno Type Principal\n");
719 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
721 char *princ_s = NULL;
722 char *etype_s = NULL;
723 krb5_enctype enctype = 0;
725 ret = smb_krb5_unparse_name(context, kt_entry.principal, &princ_s);
730 enctype = smb_get_enctype_from_kt_entry(&kt_entry);
732 ret = smb_krb5_enctype_to_string(context, enctype, &etype_s);
738 printf("%3d %s\t\t %s\n", kt_entry.vno, etype_s, princ_s);
743 ret = smb_krb5_kt_free_entry(context, &kt_entry);
749 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
754 /* Ensure we don't double free. */
755 ZERO_STRUCT(kt_entry);
760 krb5_keytab_entry zero_kt_entry;
761 ZERO_STRUCT(zero_kt_entry);
762 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
763 smb_krb5_kt_free_entry(context, &kt_entry);
767 krb5_kt_cursor zero_csr;
768 ZERO_STRUCT(zero_csr);
769 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
770 krb5_kt_end_seq_get(context, keytab, &cursor);
775 krb5_kt_close(context, keytab);
778 krb5_free_context(context);
783 #endif /* HAVE_KRB5 */
git.samba.org / kai / samba.git / blob