search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
pam_winbind: fix warn_pwd_expire implementation.
[Samba.git] / source3 / libads / kerberos_keytab.c
blob56f0a772b51bb189ee1d76f41ad5b99070e63c6b
1 /*
2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
12 Copyright (C) Gerald Carter 2006
13
14 This program is free software; you can redistribute it and/or modify
15 it under the terms of the GNU General Public License as published by
16 the Free Software Foundation; either version 3 of the License, or
17 (at your option) any later version.
18
19 This program is distributed in the hope that it will be useful,
20 but WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 GNU General Public License for more details.
23
24 You should have received a copy of the GNU General Public License
25 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 */
27
28 #include "includes.h"
29 #include "smb_krb5.h"
30 #include "ads.h"
31 #include "secrets.h"
32
33 #ifdef HAVE_KRB5
34
35 /**********************************************************************
36 **********************************************************************/
37
38 static krb5_error_code seek_and_delete_old_entries(krb5_context context,
39 krb5_keytab keytab,
40 krb5_kvno kvno,
41 const char *princ_s,
42 krb5_principal princ,
43 bool flush,
44 bool keep_old_entries)
45 {
46 krb5_error_code ret;
47 krb5_kt_cursor cursor;
48 krb5_kt_cursor zero_csr;
49 krb5_keytab_entry kt_entry;
50 krb5_keytab_entry zero_kt_entry;
51 char *ktprinc = NULL;
52
53 ZERO_STRUCT(cursor);
54 ZERO_STRUCT(zero_csr);
55 ZERO_STRUCT(kt_entry);
56 ZERO_STRUCT(zero_kt_entry);
57
58 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
59 if (ret == KRB5_KT_END || ret == ENOENT ) {
60 /* no entries */
61 return 0;
62 }
63
64 DEBUG(3, (__location__ ": Will try to delete old keytab entries\n"));
65 while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
66 bool name_ok = False;
67
68 if (!flush && (princ_s != NULL)) {
69 ret = smb_krb5_unparse_name(talloc_tos(), context,
70 kt_entry.principal,
71 &ktprinc);
72 if (ret) {
73 DEBUG(1, (__location__
74 ": smb_krb5_unparse_name failed "
75 "(%s)\n", error_message(ret)));
76 goto out;
77 }
78
79 #ifdef HAVE_KRB5_KT_COMPARE
80 name_ok = krb5_kt_compare(context, &kt_entry,
81 princ, 0, 0);
82 #else
83 name_ok = (strcmp(ktprinc, princ_s) == 0);
84 #endif
85
86 if (!name_ok) {
87 DEBUG(10, (__location__ ": ignoring keytab "
88 "entry principal %s, kvno = %d\n",
89 ktprinc, kt_entry.vno));
90
91 /* Not a match,
92 * just free this entry and continue. */
93 ret = smb_krb5_kt_free_entry(context,
94 &kt_entry);
95 ZERO_STRUCT(kt_entry);
96 if (ret) {
97 DEBUG(1, (__location__
98 ": smb_krb5_kt_free_entry "
99 "failed (%s)\n",
100 error_message(ret)));
101 goto out;
102 }
103
104 TALLOC_FREE(ktprinc);
105 continue;
106 }
107
108 TALLOC_FREE(ktprinc);
109 }
110
111 /*------------------------------------------------------------
112 * Save the entries with kvno - 1. This is what microsoft does
113 * to allow people with existing sessions that have kvno - 1
114 * to still work. Otherwise, when the password for the machine
115 * changes, all kerberizied sessions will 'break' until either
116 * the client reboots or the client's session key expires and
117 * they get a new session ticket with the new kvno.
118 */
119
120 if (!flush && (kt_entry.vno == kvno - 1)) {
121 DEBUG(5, (__location__ ": Saving previous (kvno %d) "
122 "entry for principal: %s.\n",
123 kvno - 1, princ_s));
124 continue;
125 }
126
127 if (keep_old_entries) {
128 DEBUG(5, (__location__ ": Saving old (kvno %d) "
129 "entry for principal: %s.\n",
130 kvno, princ_s));
131 continue;
132 }
133
134 DEBUG(5, (__location__ ": Found old entry for principal: %s "
135 "(kvno %d) - trying to remove it.\n",
136 princ_s, kt_entry.vno));
137
138 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
139 ZERO_STRUCT(cursor);
140 if (ret) {
141 DEBUG(1, (__location__ ": krb5_kt_end_seq_get() "
142 "failed (%s)\n", error_message(ret)));
143 goto out;
144 }
145 ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
146 if (ret) {
147 DEBUG(1, (__location__ ": krb5_kt_remove_entry() "
148 "failed (%s)\n", error_message(ret)));
149 goto out;
150 }
151
152 DEBUG(5, (__location__ ": removed old entry for principal: "
153 "%s (kvno %d).\n", princ_s, kt_entry.vno));
154
155 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
156 if (ret) {
157 DEBUG(1, (__location__ ": krb5_kt_start_seq() failed "
158 "(%s)\n", error_message(ret)));
159 goto out;
160 }
161 ret = smb_krb5_kt_free_entry(context, &kt_entry);
162 ZERO_STRUCT(kt_entry);
163 if (ret) {
164 DEBUG(1, (__location__ ": krb5_kt_remove_entry() "
165 "failed (%s)\n", error_message(ret)));
166 goto out;
167 }
168 }
169
170 out:
171 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
172 smb_krb5_kt_free_entry(context, &kt_entry);
173 }
174 if (keytab) {
175 if (memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) {
176 krb5_kt_end_seq_get(context, keytab, &cursor);
177 }
178 }
179
180 return ret;
181 }
182
183 static int smb_krb5_kt_add_entry(krb5_context context,
184 krb5_keytab keytab,
185 krb5_kvno kvno,
186 const char *princ_s,
187 krb5_enctype *enctypes,
188 krb5_data password,
189 bool no_salt,
190 bool keep_old_entries)
191 {
192 krb5_error_code ret;
193 krb5_keytab_entry kt_entry;
194 krb5_principal princ = NULL;
195 int i;
196
197 ZERO_STRUCT(kt_entry);
198
199 ret = smb_krb5_parse_name(context, princ_s, &princ);
200 if (ret) {
201 DEBUG(1, (__location__ ": smb_krb5_parse_name(%s) "
202 "failed (%s)\n", princ_s, error_message(ret)));
203 goto out;
204 }
205
206 /* Seek and delete old keytab entries */
207 ret = seek_and_delete_old_entries(context, keytab, kvno,
208 princ_s, princ, false,
209 keep_old_entries);
210 if (ret) {
211 goto out;
212 }
213
214 /* If we get here, we have deleted all the old entries with kvno's
215 * not equal to the current kvno-1. */
216
217 /* Now add keytab entries for all encryption types */
218 for (i = 0; enctypes[i]; i++) {
219 krb5_keyblock *keyp;
220
221 keyp = KRB5_KT_KEY(&kt_entry);
222
223 if (create_kerberos_key_from_string(context, princ,
224 &password, keyp,
225 enctypes[i], no_salt)) {
226 continue;
227 }
228
229 kt_entry.principal = princ;
230 kt_entry.vno = kvno;
231
232 DEBUG(3, (__location__ ": adding keytab entry for (%s) with "
233 "encryption type (%d) and version (%d)\n",
234 princ_s, enctypes[i], kt_entry.vno));
235 ret = krb5_kt_add_entry(context, keytab, &kt_entry);
236 krb5_free_keyblock_contents(context, keyp);
237 ZERO_STRUCT(kt_entry);
238 if (ret) {
239 DEBUG(1, (__location__ ": adding entry to keytab "
240 "failed (%s)\n", error_message(ret)));
241 goto out;
242 }
243 }
244
245 out:
246 if (princ) {
247 krb5_free_principal(context, princ);
248 }
249
250 return (int)ret;
251 }
252
253 #ifdef HAVE_ADS
254
255 /**********************************************************************
256 Adds a single service principal, i.e. 'host' to the system keytab
257 ***********************************************************************/
258
259 int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
260 {
261 krb5_error_code ret = 0;
262 krb5_context context = NULL;
263 krb5_keytab keytab = NULL;
264 krb5_data password;
265 krb5_kvno kvno;
266 krb5_enctype enctypes[6] = {
267 ENCTYPE_DES_CBC_CRC,
268 ENCTYPE_DES_CBC_MD5,
269 #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
270 ENCTYPE_AES128_CTS_HMAC_SHA1_96,
271 #endif
272 #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
273 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
274 #endif
275 ENCTYPE_ARCFOUR_HMAC,
276 0
277 };
278 char *princ_s = NULL;
279 char *short_princ_s = NULL;
280 char *password_s = NULL;
281 char *my_fqdn;
282 TALLOC_CTX *tmpctx = NULL;
283 char *machine_name;
284 ADS_STATUS aderr;
285
286 initialize_krb5_error_table();
287 ret = krb5_init_context(&context);
288 if (ret) {
289 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
290 error_message(ret)));
291 return -1;
292 }
293
294 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
295 if (ret) {
296 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
297 error_message(ret)));
298 goto out;
299 }
300
301 /* retrieve the password */
302 if (!secrets_init()) {
303 DEBUG(1, (__location__ ": secrets_init failed\n"));
304 ret = -1;
305 goto out;
306 }
307 password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
308 if (!password_s) {
309 DEBUG(1, (__location__ ": failed to fetch machine password\n"));
310 ret = -1;
311 goto out;
312 }
313 ZERO_STRUCT(password);
314 password.data = password_s;
315 password.length = strlen(password_s);
316
317 /* we need the dNSHostName value here */
318 tmpctx = talloc_init(__location__);
319 if (!tmpctx) {
320 DEBUG(0, (__location__ ": talloc_init() failed!\n"));
321 ret = -1;
322 goto out;
323 }
324
325 my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
326 if (!my_fqdn) {
327 DEBUG(0, (__location__ ": unable to determine machine "
328 "account's dns name in AD!\n"));
329 ret = -1;
330 goto out;
331 }
332
333 machine_name = ads_get_samaccountname(ads, tmpctx, lp_netbios_name());
334 if (!machine_name) {
335 DEBUG(0, (__location__ ": unable to determine machine "
336 "account's short name in AD!\n"));
337 ret = -1;
338 goto out;
339 }
340 /*strip the trailing '$' */
341 machine_name[strlen(machine_name)-1] = '\0';
342
343 /* Construct our principal */
344 if (strchr_m(srvPrinc, '@')) {
345 /* It's a fully-named principal. */
346 princ_s = talloc_asprintf(tmpctx, "%s", srvPrinc);
347 if (!princ_s) {
348 ret = -1;
349 goto out;
350 }
351 } else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
352 /* It's the machine account, as used by smbclient clients. */
353 princ_s = talloc_asprintf(tmpctx, "%s@%s",
354 srvPrinc, lp_realm());
355 if (!princ_s) {
356 ret = -1;
357 goto out;
358 }
359 } else {
360 /* It's a normal service principal. Add the SPN now so that we
361 * can obtain credentials for it and double-check the salt value
362 * used to generate the service's keys. */
363
364 princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
365 srvPrinc, my_fqdn, lp_realm());
366 if (!princ_s) {
367 ret = -1;
368 goto out;
369 }
370 short_princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
371 srvPrinc, machine_name,
372 lp_realm());
373 if (short_princ_s == NULL) {
374 ret = -1;
375 goto out;
376 }
377
378 /* According to http://support.microsoft.com/kb/326985/en-us,
379 certain principal names are automatically mapped to the
380 host/... principal in the AD account.
381 So only create these in the keytab, not in AD. --jerry */
382
383 if (!strequal(srvPrinc, "cifs") &&
384 !strequal(srvPrinc, "host")) {
385 DEBUG(3, (__location__ ": Attempting to add/update "
386 "'%s'\n", princ_s));
387
388 aderr = ads_add_service_principal_name(ads,
389 lp_netbios_name(), my_fqdn, srvPrinc);
390 if (!ADS_ERR_OK(aderr)) {
391 DEBUG(1, (__location__ ": failed to "
392 "ads_add_service_principal_name.\n"));
393 goto out;
394 }
395 }
396 }
397
398 kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
399 if (kvno == -1) {
400 /* -1 indicates failure, everything else is OK */
401 DEBUG(1, (__location__ ": ads_get_machine_kvno failed to "
402 "determine the system's kvno.\n"));
403 ret = -1;
404 goto out;
405 }
406
407 /* add the fqdn principal to the keytab */
408 ret = smb_krb5_kt_add_entry(context, keytab, kvno,
409 princ_s, enctypes, password,
410 false, false);
411 if (ret) {
412 DEBUG(1, (__location__ ": Failed to add entry to keytab\n"));
413 goto out;
414 }
415
416 /* add the short principal name if we have one */
417 if (short_princ_s) {
418 ret = smb_krb5_kt_add_entry(context, keytab, kvno,
419 short_princ_s, enctypes, password,
420 false, false);
421 if (ret) {
422 DEBUG(1, (__location__
423 ": Failed to add short entry to keytab\n"));
424 goto out;
425 }
426 }
427
428 out:
429 TALLOC_FREE(tmpctx);
430
431 if (keytab) {
432 krb5_kt_close(context, keytab);
433 }
434 if (context) {
435 krb5_free_context(context);
436 }
437 return (int)ret;
438 }
439
440 /**********************************************************************
441 Flushes all entries from the system keytab.
442 ***********************************************************************/
443
444 int ads_keytab_flush(ADS_STRUCT *ads)
445 {
446 krb5_error_code ret = 0;
447 krb5_context context = NULL;
448 krb5_keytab keytab = NULL;
449 krb5_kvno kvno;
450 ADS_STATUS aderr;
451
452 initialize_krb5_error_table();
453 ret = krb5_init_context(&context);
454 if (ret) {
455 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
456 error_message(ret)));
457 return ret;
458 }
459
460 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
461 if (ret) {
462 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
463 error_message(ret)));
464 goto out;
465 }
466
467 kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
468 if (kvno == -1) {
469 /* -1 indicates a failure */
470 DEBUG(1, (__location__ ": Error determining the kvno.\n"));
471 goto out;
472 }
473
474 /* Seek and delete old keytab entries */
475 ret = seek_and_delete_old_entries(context, keytab, kvno,
476 NULL, NULL, true, false);
477 if (ret) {
478 goto out;
479 }
480
481 aderr = ads_clear_service_principal_names(ads, lp_netbios_name());
482 if (!ADS_ERR_OK(aderr)) {
483 DEBUG(1, (__location__ ": Error while clearing service "
484 "principal listings in LDAP.\n"));
485 goto out;
486 }
487
488 out:
489 if (keytab) {
490 krb5_kt_close(context, keytab);
491 }
492 if (context) {
493 krb5_free_context(context);
494 }
495 return ret;
496 }
497
498 /**********************************************************************
499 Adds all the required service principals to the system keytab.
500 ***********************************************************************/
501
502 int ads_keytab_create_default(ADS_STRUCT *ads)
503 {
504 krb5_error_code ret = 0;
505 krb5_context context = NULL;
506 krb5_keytab keytab = NULL;
507 krb5_kt_cursor cursor;
508 krb5_keytab_entry kt_entry;
509 krb5_kvno kvno;
510 size_t found = 0;
511 char *sam_account_name, *upn;
512 char **oldEntries = NULL, *princ_s[26];
513 TALLOC_CTX *frame;
514 char *machine_name;
515 char **spn_array;
516 size_t num_spns;
517 size_t i;
518 ADS_STATUS status;
519
520 frame = talloc_stackframe();
521 if (frame == NULL) {
522 ret = -1;
523 goto done;
524 }
525
526 status = ads_get_service_principal_names(frame,
527 ads,
528 lp_netbios_name(),
529 &spn_array,
530 &num_spns);
531 if (!ADS_ERR_OK(status)) {
532 ret = -1;
533 goto done;
534 }
535
536 for (i = 0; i < num_spns; i++) {
537 char *srv_princ;
538 char *p;
539
540 srv_princ = strlower_talloc(frame, spn_array[i]);
541 if (srv_princ == NULL) {
542 ret = -1;
543 goto done;
544 }
545
546 p = strchr_m(srv_princ, '/');
547 if (p == NULL) {
548 continue;
549 }
550 p[0] = '\0';
551
552 /* Add the SPNs found on the DC */
553 ret = ads_keytab_add_entry(ads, srv_princ);
554 if (ret != 0) {
555 DEBUG(1, ("ads_keytab_add_entry failed while "
556 "adding '%s' principal.\n",
557 spn_array[i]));
558 goto done;
559 }
560 }
561
562 #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
563 really needs them and we will fall back to verifying against
564 secrets.tdb */
565
566 ret = ads_keytab_add_entry(ads, "cifs"));
567 if (ret != 0 ) {
568 DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
569 "adding 'cifs'.\n"));
570 return ret;
571 }
572 #endif
573
574 memset(princ_s, '\0', sizeof(princ_s));
575 ZERO_STRUCT(kt_entry);
576 ZERO_STRUCT(cursor);
577
578 initialize_krb5_error_table();
579 ret = krb5_init_context(&context);
580 if (ret) {
581 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
582 error_message(ret)));
583 goto done;
584 }
585
586 machine_name = talloc_strdup(frame, lp_netbios_name());
587 if (!machine_name) {
588 ret = -1;
589 goto done;
590 }
591
592 /* now add the userPrincipalName and sAMAccountName entries */
593 sam_account_name = ads_get_samaccountname(ads, frame, machine_name);
594 if (!sam_account_name) {
595 DEBUG(0, (__location__ ": unable to determine machine "
596 "account's name in AD!\n"));
597 ret = -1;
598 goto done;
599 }
600
601 /* upper case the sAMAccountName to make it easier for apps to
602 know what case to use in the keytab file */
603 if (!strupper_m(sam_account_name)) {
604 ret = -1;
605 goto done;
606 }
607
608 ret = ads_keytab_add_entry(ads, sam_account_name);
609 if (ret != 0) {
610 DEBUG(1, (__location__ ": ads_keytab_add_entry() failed "
611 "while adding sAMAccountName (%s)\n",
612 sam_account_name));
613 goto done;
614 }
615
616 /* remember that not every machine account will have a upn */
617 upn = ads_get_upn(ads, frame, machine_name);
618 if (upn) {
619 ret = ads_keytab_add_entry(ads, upn);
620 if (ret != 0) {
621 DEBUG(1, (__location__ ": ads_keytab_add_entry() "
622 "failed while adding UPN (%s)\n", upn));
623 goto done;
624 }
625 }
626
627 /* Now loop through the keytab and update any other existing entries */
628 kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
629 if (kvno == (krb5_kvno)-1) {
630 DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
631 "determine the system's kvno.\n"));
632 goto done;
633 }
634
635 DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
636 "and update.\n"));
637
638 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
639 if (ret) {
640 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
641 error_message(ret)));
642 goto done;
643 }
644
645 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
646 if (ret != KRB5_KT_END && ret != ENOENT ) {
647 while ((ret = krb5_kt_next_entry(context, keytab,
648 &kt_entry, &cursor)) == 0) {
649 smb_krb5_kt_free_entry(context, &kt_entry);
650 ZERO_STRUCT(kt_entry);
651 found++;
652 }
653 }
654 krb5_kt_end_seq_get(context, keytab, &cursor);
655 ZERO_STRUCT(cursor);
656
657 /*
658 * Hmmm. There is no "rewind" function for the keytab. This means we
659 * have a race condition where someone else could add entries after
660 * we've counted them. Re-open asap to minimise the race. JRA.
661 */
662 DEBUG(3, (__location__ ": Found %zd entries in the keytab.\n", found));
663 if (!found) {
664 goto done;
665 }
666
667 oldEntries = talloc_zero_array(frame, char *, found + 1);
668 if (!oldEntries) {
669 DEBUG(1, (__location__ ": Failed to allocate space to store "
670 "the old keytab entries (talloc failed?).\n"));
671 ret = -1;
672 goto done;
673 }
674
675 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
676 if (ret == KRB5_KT_END || ret == ENOENT) {
677 krb5_kt_end_seq_get(context, keytab, &cursor);
678 ZERO_STRUCT(cursor);
679 goto done;
680 }
681
682 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
683 if (kt_entry.vno != kvno) {
684 char *ktprinc = NULL;
685 char *p;
686
687 /* This returns a malloc'ed string in ktprinc. */
688 ret = smb_krb5_unparse_name(oldEntries, context,
689 kt_entry.principal,
690 &ktprinc);
691 if (ret) {
692 DEBUG(1, (__location__
693 ": smb_krb5_unparse_name failed "
694 "(%s)\n", error_message(ret)));
695 goto done;
696 }
697 /*
698 * From looking at the krb5 source they don't seem to
699 * take locale or mb strings into account.
700 * Maybe this is because they assume utf8 ?
701 * In this case we may need to convert from utf8 to
702 * mb charset here ? JRA.
703 */
704 p = strchr_m(ktprinc, '@');
705 if (p) {
706 *p = '\0';
707 }
708
709 p = strchr_m(ktprinc, '/');
710 if (p) {
711 *p = '\0';
712 }
713 for (i = 0; i < found; i++) {
714 if (!oldEntries[i]) {
715 oldEntries[i] = ktprinc;
716 break;
717 }
718 if (!strcmp(oldEntries[i], ktprinc)) {
719 TALLOC_FREE(ktprinc);
720 break;
721 }
722 }
723 if (i == found) {
724 TALLOC_FREE(ktprinc);
725 }
726 }
727 smb_krb5_kt_free_entry(context, &kt_entry);
728 ZERO_STRUCT(kt_entry);
729 }
730 ret = 0;
731 for (i = 0; oldEntries[i]; i++) {
732 ret |= ads_keytab_add_entry(ads, oldEntries[i]);
733 TALLOC_FREE(oldEntries[i]);
734 }
735 krb5_kt_end_seq_get(context, keytab, &cursor);
736 ZERO_STRUCT(cursor);
737
738 done:
739 TALLOC_FREE(oldEntries);
740 TALLOC_FREE(frame);
741
742 {
743 krb5_keytab_entry zero_kt_entry;
744 ZERO_STRUCT(zero_kt_entry);
745 if (memcmp(&zero_kt_entry, &kt_entry,
746 sizeof(krb5_keytab_entry))) {
747 smb_krb5_kt_free_entry(context, &kt_entry);
748 }
749 }
750 {
751 krb5_kt_cursor zero_csr;
752 ZERO_STRUCT(zero_csr);
753 if ((memcmp(&cursor, &zero_csr,
754 sizeof(krb5_kt_cursor)) != 0) && keytab) {
755 krb5_kt_end_seq_get(context, keytab, &cursor);
756 }
757 }
758 if (keytab) {
759 krb5_kt_close(context, keytab);
760 }
761 if (context) {
762 krb5_free_context(context);
763 }
764 return ret;
765 }
766
767 #endif /* HAVE_ADS */
768
769 /**********************************************************************
770 List system keytab.
771 ***********************************************************************/
772
773 int ads_keytab_list(const char *keytab_name)
774 {
775 krb5_error_code ret = 0;
776 krb5_context context = NULL;
777 krb5_keytab keytab = NULL;
778 krb5_kt_cursor cursor;
779 krb5_keytab_entry kt_entry;
780
781 ZERO_STRUCT(kt_entry);
782 ZERO_STRUCT(cursor);
783
784 initialize_krb5_error_table();
785 ret = krb5_init_context(&context);
786 if (ret) {
787 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
788 error_message(ret)));
789 return ret;
790 }
791
792 ret = smb_krb5_open_keytab(context, keytab_name, False, &keytab);
793 if (ret) {
794 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
795 error_message(ret)));
796 goto out;
797 }
798
799 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
800 if (ret) {
801 ZERO_STRUCT(cursor);
802 goto out;
803 }
804
805 printf("Vno Type Principal\n");
806
807 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
808
809 char *princ_s = NULL;
810 char *etype_s = NULL;
811 krb5_enctype enctype = 0;
812
813 ret = smb_krb5_unparse_name(talloc_tos(), context,
814 kt_entry.principal, &princ_s);
815 if (ret) {
816 goto out;
817 }
818
819 enctype = smb_get_enctype_from_kt_entry(&kt_entry);
820
821 ret = smb_krb5_enctype_to_string(context, enctype, &etype_s);
822 if (ret &&
823 (asprintf(&etype_s, "UNKNOWN: %d\n", enctype) == -1)) {
824 TALLOC_FREE(princ_s);
825 goto out;
826 }
827
828 printf("%3d %-43s %s\n", kt_entry.vno, etype_s, princ_s);
829
830 TALLOC_FREE(princ_s);
831 SAFE_FREE(etype_s);
832
833 ret = smb_krb5_kt_free_entry(context, &kt_entry);
834 if (ret) {
835 goto out;
836 }
837 }
838
839 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
840 if (ret) {
841 goto out;
842 }
843
844 /* Ensure we don't double free. */
845 ZERO_STRUCT(kt_entry);
846 ZERO_STRUCT(cursor);
847 out:
848
849 {
850 krb5_keytab_entry zero_kt_entry;
851 ZERO_STRUCT(zero_kt_entry);
852 if (memcmp(&zero_kt_entry, &kt_entry,
853 sizeof(krb5_keytab_entry))) {
854 smb_krb5_kt_free_entry(context, &kt_entry);
855 }
856 }
857 {
858 krb5_kt_cursor zero_csr;
859 ZERO_STRUCT(zero_csr);
860 if ((memcmp(&cursor, &zero_csr,
861 sizeof(krb5_kt_cursor)) != 0) && keytab) {
862 krb5_kt_end_seq_get(context, keytab, &cursor);
863 }
864 }
865
866 if (keytab) {
867 krb5_kt_close(context, keytab);
868 }
869 if (context) {
870 krb5_free_context(context);
871 }
872 return ret;
873 }
874
875 #endif /* HAVE_KRB5 */
Samba GIT mirror