2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
13 This program is free software; you can redistribute it and/or modify
14 it under the terms of the GNU General Public License as published by
15 the Free Software Foundation; either version 2 of the License, or
16 (at your option) any later version.
18 This program is distributed in the hope that it will be useful,
19 but WITHOUT ANY WARRANTY; without even the implied warranty of
20 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 GNU General Public License for more details.
23 You should have received a copy of the GNU General Public License
24 along with this program; if not, write to the Free Software
25 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
32 /**********************************************************************
33 Adds a single service principal, i.e. 'host' to the system keytab
34 ***********************************************************************/
36 int ads_keytab_add_entry(ADS_STRUCT
*ads
, const char *srvPrinc
)
38 krb5_error_code ret
= 0;
39 krb5_context context
= NULL
;
40 krb5_keytab keytab
= NULL
;
41 krb5_kt_cursor cursor
;
42 krb5_keytab_entry kt_entry
;
43 krb5_principal princ
= NULL
;
45 krb5_enctype
*enctypes
= NULL
;
48 char *principal
= NULL
;
50 char *password_s
= NULL
;
51 #ifndef MAX_KEYTAB_NAME_LEN
52 #define MAX_KEYTAB_NAME_LEN 1100
54 char keytab_name
[MAX_KEYTAB_NAME_LEN
]; /* This MAX_NAME_LEN is a constant defined in krb5.h */
59 ZERO_STRUCT(kt_entry
);
62 initialize_krb5_error_table();
63 ret
= krb5_init_context(&context
);
65 DEBUG(1,("ads_keytab_add_entry: could not krb5_init_context: %s\n",error_message(ret
)));
68 #ifdef HAVE_WRFILE_KEYTAB /* MIT */
71 ret
= krb5_kt_default_name(context
, (char *) &keytab_name
[2], MAX_KEYTAB_NAME_LEN
- 4);
73 ret
= krb5_kt_default_name(context
, (char *) &keytab_name
[0], MAX_KEYTAB_NAME_LEN
- 2);
76 DEBUG(1,("ads_keytab_add_entry: krb5_kt_default_name failed (%s)\n", error_message(ret
)));
79 DEBUG(2,("ads_keytab_add_entry: Using default system keytab: %s\n", (char *) &keytab_name
));
80 ret
= krb5_kt_resolve(context
, (char *) &keytab_name
, &keytab
);
82 DEBUG(1,("ads_keytab_add_entry: krb5_kt_resolve failed (%s)\n", error_message(ret
)));
86 /* retrieve the password */
87 if (!secrets_init()) {
88 DEBUG(1,("ads_keytab_add_entry: secrets_init failed\n"));
92 password_s
= secrets_fetch_machine_password(lp_workgroup(), NULL
, NULL
);
94 DEBUG(1,("ads_keytab_add_entry: failed to fetch machine password\n"));
98 password
.data
= password_s
;
99 password
.length
= strlen(password_s
);
101 /* Construct our principal */
102 name_to_fqdn(my_fqdn
, global_myname());
105 if (strchr_m(srvPrinc
, '@')) {
106 /* It's a fully-named principal. */
107 asprintf(&princ_s
, "%s", srvPrinc
);
108 } else if (srvPrinc
[strlen(srvPrinc
)-1] == '$') {
109 /* It's the machine account, as used by smbclient clients. */
110 asprintf(&princ_s
, "%s@%s", srvPrinc
, lp_realm());
112 /* It's a normal service principal. Add the SPN now so that we
113 * can obtain credentials for it and double-check the salt value
114 * used to generate the service's keys. */
115 asprintf(&princ_s
, "%s/%s@%s", srvPrinc
, my_fqdn
, lp_realm());
116 /* Update the directory with the SPN */
117 DEBUG(3,("ads_keytab_add_entry: Attempting to add/update '%s'\n", princ_s
));
118 if (!ADS_ERR_OK(ads_add_service_principal_name(ads
, global_myname(), srvPrinc
))) {
119 DEBUG(1,("ads_keytab_add_entry: ads_add_service_principal_name failed.\n"));
124 ret
= get_kerberos_allowed_etypes(context
,&enctypes
);
126 DEBUG(1,("ads_keytab_add_entry: get_kerberos_allowed_etypes failed (%s)\n",error_message(ret
)));
130 /* Guess at how the KDC is salting keys for this principal. */
131 kerberos_derive_salting_principal(princ_s
);
133 ret
= krb5_parse_name(context
, princ_s
, &princ
);
135 DEBUG(1,("ads_keytab_add_entry: krb5_parse_name(%s) failed (%s)\n", princ_s
, error_message(ret
)));
139 kvno
= (krb5_kvno
) ads_get_kvno(ads
, global_myname());
140 if (kvno
== -1) { /* -1 indicates failure, everything else is OK */
141 DEBUG(1,("ads_keytab_add_entry: ads_get_kvno failed to determine the system's kvno.\n"));
146 /* Seek and delete old keytab entries */
147 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
148 if (ret
!= KRB5_KT_END
&& ret
!= ENOENT
) {
149 DEBUG(3,("ads_keytab_add_entry: Will try to delete old keytab entries\n"));
150 while(!krb5_kt_next_entry(context
, keytab
, &kt_entry
, &cursor
)) {
151 BOOL compare_name_ok
= False
;
153 ret
= krb5_unparse_name(context
, kt_entry
.principal
, &ktprinc
);
155 DEBUG(1,("ads_keytab_add_entry: krb5_unparse_name failed (%s)\n", error_message(ret
)));
159 /*---------------------------------------------------------------------------
160 * Save the entries with kvno - 1. This is what microsoft does
161 * to allow people with existing sessions that have kvno - 1 to still
162 * work. Otherwise, when the password for the machine changes, all
163 * kerberizied sessions will 'break' until either the client reboots or
164 * the client's session key expires and they get a new session ticket
168 #ifdef HAVE_KRB5_KT_COMPARE
169 compare_name_ok
= (krb5_kt_compare(context
, &kt_entry
, princ
, 0, 0) == True
);
171 compare_name_ok
= (strcmp(ktprinc
, princ_s
) == 0);
174 if (!compare_name_ok
) {
175 DEBUG(10,("ads_keytab_add_entry: ignoring keytab entry principal %s, kvno = %d\n",
176 ktprinc
, kt_entry
.vno
));
179 krb5_free_unparsed_name(context
, ktprinc
);
182 if (compare_name_ok
) {
183 if (kt_entry
.vno
== kvno
- 1) {
184 DEBUG(5,("ads_keytab_add_entry: Saving previous (kvno %d) entry for principal: %s.\n",
188 DEBUG(5,("ads_keytab_add_entry: Found old entry for principal: %s (kvno %d) - trying to remove it.\n",
189 princ_s
, kt_entry
.vno
));
190 ret
= krb5_kt_end_seq_get(context
, keytab
, &cursor
);
193 DEBUG(1,("ads_keytab_add_entry: krb5_kt_end_seq_get() failed (%s)\n",
194 error_message(ret
)));
197 ret
= krb5_kt_remove_entry(context
, keytab
, &kt_entry
);
199 DEBUG(1,("ads_keytab_add_entry: krb5_kt_remove_entry failed (%s)\n",
200 error_message(ret
)));
204 DEBUG(5,("ads_keytab_add_entry: removed old entry for principal: %s (kvno %d).\n",
205 princ_s
, kt_entry
.vno
));
207 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
209 DEBUG(1,("ads_keytab_add_entry: krb5_kt_start_seq failed (%s)\n",
210 error_message(ret
)));
213 ret
= smb_krb5_kt_free_entry(context
, &kt_entry
);
214 ZERO_STRUCT(kt_entry
);
216 DEBUG(1,("ads_keytab_add_entry: krb5_kt_remove_entry failed (%s)\n",
217 error_message(ret
)));
224 /* Not a match, just free this entry and continue. */
225 ret
= smb_krb5_kt_free_entry(context
, &kt_entry
);
226 ZERO_STRUCT(kt_entry
);
228 DEBUG(1,("ads_keytab_add_entry: smb_krb5_kt_free_entry failed (%s)\n", error_message(ret
)));
233 ret
= krb5_kt_end_seq_get(context
, keytab
, &cursor
);
236 DEBUG(1,("ads_keytab_add_entry: krb5_kt_end_seq_get failed (%s)\n",error_message(ret
)));
241 /* Ensure we don't double free. */
242 ZERO_STRUCT(kt_entry
);
245 /* If we get here, we have deleted all the old entries with kvno's not equal to the current kvno-1. */
247 /* Now add keytab entries for all encryption types */
248 for (i
= 0; enctypes
[i
]; i
++) {
251 #if !defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) && !defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK)
252 #error krb5_keytab_entry has no key or keyblock member
254 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
255 keyp
= &kt_entry
.key
;
257 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
258 keyp
= &kt_entry
.keyblock
;
260 if (create_kerberos_key_from_string(context
, princ
, &password
, keyp
, enctypes
[i
])) {
264 kt_entry
.principal
= princ
;
267 DEBUG(3,("ads_keytab_add_entry: adding keytab entry for (%s) with encryption type (%d) and version (%d)\n",
268 princ_s
, enctypes
[i
], kt_entry
.vno
));
269 ret
= krb5_kt_add_entry(context
, keytab
, &kt_entry
);
270 krb5_free_keyblock_contents(context
, keyp
);
271 ZERO_STRUCT(kt_entry
);
273 DEBUG(1,("ads_keytab_add_entry: adding entry to keytab failed (%s)\n", error_message(ret
)));
278 krb5_kt_close(context
, keytab
);
279 keytab
= NULL
; /* Done with keytab now. No double free. */
283 SAFE_FREE(principal
);
284 SAFE_FREE(password_s
);
288 krb5_keytab_entry zero_kt_entry
;
289 ZERO_STRUCT(zero_kt_entry
);
290 if (memcmp(&zero_kt_entry
, &kt_entry
, sizeof(krb5_keytab_entry
))) {
291 smb_krb5_kt_free_entry(context
, &kt_entry
);
295 krb5_free_principal(context
, princ
);
298 free_kerberos_etypes(context
, enctypes
);
302 krb5_kt_cursor zero_csr
;
303 ZERO_STRUCT(zero_csr
);
304 if ((memcmp(&cursor
, &zero_csr
, sizeof(krb5_kt_cursor
)) != 0) && keytab
) {
305 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
309 krb5_kt_close(context
, keytab
);
312 krb5_free_context(context
);
317 /**********************************************************************
318 Flushes all entries from the system keytab.
319 ***********************************************************************/
321 int ads_keytab_flush(ADS_STRUCT
*ads
)
323 krb5_error_code ret
= 0;
324 krb5_context context
= NULL
;
325 krb5_keytab keytab
= NULL
;
326 krb5_kt_cursor cursor
;
327 krb5_keytab_entry kt_entry
;
329 char keytab_name
[MAX_KEYTAB_NAME_LEN
];
331 ZERO_STRUCT(kt_entry
);
334 initialize_krb5_error_table();
335 ret
= krb5_init_context(&context
);
337 DEBUG(1,("ads_keytab_flush: could not krb5_init_context: %s\n",error_message(ret
)));
340 #ifdef HAVE_WRFILE_KEYTAB
341 keytab_name
[0] = 'W';
342 keytab_name
[1] = 'R';
343 ret
= krb5_kt_default_name(context
, (char *) &keytab_name
[2], MAX_KEYTAB_NAME_LEN
- 4);
345 ret
= krb5_kt_default_name(context
, (char *) &keytab_name
[0], MAX_KEYTAB_NAME_LEN
- 2);
348 DEBUG(1,("ads_keytab_flush: krb5_kt_default failed (%s)\n", error_message(ret
)));
351 DEBUG(3,("ads_keytab_flush: Using default keytab: %s\n", (char *) &keytab_name
));
352 ret
= krb5_kt_resolve(context
, (char *) &keytab_name
, &keytab
);
354 DEBUG(1,("ads_keytab_flush: krb5_kt_default failed (%s)\n", error_message(ret
)));
357 ret
= krb5_kt_resolve(context
, (char *) &keytab_name
, &keytab
);
359 DEBUG(1,("ads_keytab_flush: krb5_kt_default failed (%s)\n", error_message(ret
)));
363 kvno
= (krb5_kvno
) ads_get_kvno(ads
, global_myname());
364 if (kvno
== -1) { /* -1 indicates a failure */
365 DEBUG(1,("ads_keytab_flush: Error determining the system's kvno.\n"));
369 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
370 if (ret
!= KRB5_KT_END
&& ret
!= ENOENT
) {
371 while (!krb5_kt_next_entry(context
, keytab
, &kt_entry
, &cursor
)) {
372 ret
= krb5_kt_end_seq_get(context
, keytab
, &cursor
);
375 DEBUG(1,("ads_keytab_flush: krb5_kt_end_seq_get() failed (%s)\n",error_message(ret
)));
378 ret
= krb5_kt_remove_entry(context
, keytab
, &kt_entry
);
380 DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret
)));
383 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
385 DEBUG(1,("ads_keytab_flush: krb5_kt_start_seq failed (%s)\n",error_message(ret
)));
388 ret
= smb_krb5_kt_free_entry(context
, &kt_entry
);
389 ZERO_STRUCT(kt_entry
);
391 DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret
)));
397 /* Ensure we don't double free. */
398 ZERO_STRUCT(kt_entry
);
401 if (!ADS_ERR_OK(ads_clear_service_principal_names(ads
, global_myname()))) {
402 DEBUG(1,("ads_keytab_flush: Error while clearing service principal listings in LDAP.\n"));
409 krb5_keytab_entry zero_kt_entry
;
410 ZERO_STRUCT(zero_kt_entry
);
411 if (memcmp(&zero_kt_entry
, &kt_entry
, sizeof(krb5_keytab_entry
))) {
412 smb_krb5_kt_free_entry(context
, &kt_entry
);
416 krb5_kt_cursor zero_csr
;
417 ZERO_STRUCT(zero_csr
);
418 if ((memcmp(&cursor
, &zero_csr
, sizeof(krb5_kt_cursor
)) != 0) && keytab
) {
419 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
423 krb5_kt_close(context
, keytab
);
426 krb5_free_context(context
);
431 /**********************************************************************
432 Adds all the required service principals to the system keytab.
433 ***********************************************************************/
435 int ads_keytab_create_default(ADS_STRUCT
*ads
)
437 krb5_error_code ret
= 0;
438 krb5_context context
= NULL
;
439 krb5_keytab keytab
= NULL
;
440 krb5_kt_cursor cursor
;
441 krb5_keytab_entry kt_entry
;
443 fstring my_fqdn
, my_Fqdn
, my_name
, my_NAME
;
446 char **oldEntries
= NULL
, *princ_s
[18];;
448 ret
= ads_keytab_add_entry(ads
, "host");
450 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.\n"));
453 ret
= ads_keytab_add_entry(ads
, "cifs");
455 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'cifs'.\n"));
459 fstrcpy(my_name
, global_myname());
462 fstrcpy(my_NAME
, global_myname());
466 name_to_fqdn(my_fqdn
, global_myname());
469 p_fqdn
= strchr_m(my_fqdn
, '.');
470 fstrcpy(my_Fqdn
, my_NAME
);
472 fstrcat(my_Fqdn
, p_fqdn
);
475 asprintf(&princ_s
[0], "%s$@%s", my_name
, lp_realm());
476 asprintf(&princ_s
[1], "%s$@%s", my_NAME
, lp_realm());
477 asprintf(&princ_s
[2], "host/%s@%s", my_name
, lp_realm());
478 asprintf(&princ_s
[3], "host/%s@%s", my_NAME
, lp_realm());
479 asprintf(&princ_s
[4], "host/%s@%s", my_fqdn
, lp_realm());
480 asprintf(&princ_s
[5], "host/%s@%s", my_Fqdn
, lp_realm());
481 asprintf(&princ_s
[6], "HOST/%s@%s", my_name
, lp_realm());
482 asprintf(&princ_s
[7], "HOST/%s@%s", my_NAME
, lp_realm());
483 asprintf(&princ_s
[8], "HOST/%s@%s", my_fqdn
, lp_realm());
484 asprintf(&princ_s
[9], "HOST/%s@%s", my_Fqdn
, lp_realm());
485 asprintf(&princ_s
[10], "cifs/%s@%s", my_name
, lp_realm());
486 asprintf(&princ_s
[11], "cifs/%s@%s", my_NAME
, lp_realm());
487 asprintf(&princ_s
[12], "cifs/%s@%s", my_fqdn
, lp_realm());
488 asprintf(&princ_s
[13], "cifs/%s@%s", my_Fqdn
, lp_realm());
489 asprintf(&princ_s
[14], "CIFS/%s@%s", my_name
, lp_realm());
490 asprintf(&princ_s
[15], "CIFS/%s@%s", my_NAME
, lp_realm());
491 asprintf(&princ_s
[16], "CIFS/%s@%s", my_fqdn
, lp_realm());
492 asprintf(&princ_s
[17], "CIFS/%s@%s", my_Fqdn
, lp_realm());
494 for (i
= 0; i
< sizeof(princ_s
) / sizeof(princ_s
[0]); i
++) {
495 if (princ_s
[i
] != NULL
) {
496 ret
= ads_keytab_add_entry(ads
, princ_s
[i
]);
498 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding '%s'.\n", princ_s
[i
]));
500 SAFE_FREE(princ_s
[i
]);
504 kvno
= (krb5_kvno
) ads_get_kvno(ads
, global_myname());
506 DEBUG(1,("ads_keytab_create_default: ads_get_kvno failed to determine the system's kvno.\n"));
510 DEBUG(3,("ads_keytab_create_default: Searching for keytab entries to preserve and update.\n"));
511 /* Now loop through the keytab and update any other existing entries... */
513 ZERO_STRUCT(kt_entry
);
516 initialize_krb5_error_table();
517 ret
= krb5_init_context(&context
);
519 DEBUG(1,("ads_keytab_create_default: could not krb5_init_context: %s\n",error_message(ret
)));
522 ret
= krb5_kt_default(context
, &keytab
);
524 DEBUG(1,("ads_keytab_create_default: krb5_kt_default failed (%s)\n",error_message(ret
)));
528 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
529 if (ret
!= KRB5_KT_END
&& ret
!= ENOENT
) {
530 while ((ret
= krb5_kt_next_entry(context
, keytab
, &kt_entry
, &cursor
)) == 0) {
531 smb_krb5_kt_free_entry(context
, &kt_entry
);
532 ZERO_STRUCT(kt_entry
);
536 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
540 * Hmmm. There is no "rewind" function for the keytab. This means we have a race condition
541 * where someone else could add entries after we've counted them. Re-open asap to minimise
545 DEBUG(3, ("ads_keytab_create_default: Found %d entries in the keytab.\n", found
));
549 oldEntries
= SMB_MALLOC_ARRAY(char *, found
);
551 DEBUG(1,("ads_keytab_create_default: Failed to allocate space to store the old keytab entries (malloc failed?).\n"));
555 memset(oldEntries
, '\0', found
* sizeof(char *));
557 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
558 if (ret
!= KRB5_KT_END
&& ret
!= ENOENT
) {
559 while (krb5_kt_next_entry(context
, keytab
, &kt_entry
, &cursor
) == 0) {
560 if (kt_entry
.vno
!= kvno
) {
561 char *ktprinc
= NULL
;
564 /* This returns a malloc'ed string in ktprinc. */
565 ret
= krb5_unparse_name(context
, kt_entry
.principal
, &ktprinc
);
567 DEBUG(1,("krb5_unparse_name failed (%s)\n", error_message(ret
)));
571 * From looking at the krb5 source they don't seem to take locale
572 * or mb strings into account. Maybe this is because they assume utf8 ?
573 * In this case we may need to convert from utf8 to mb charset here ? JRA.
575 p
= strchr_m(ktprinc
, '@');
580 p
= strchr_m(ktprinc
, '/');
584 for (i
= 0; i
< found
; i
++) {
585 if (!oldEntries
[i
]) {
586 oldEntries
[i
] = ktprinc
;
589 if (!strcmp(oldEntries
[i
], ktprinc
)) {
590 krb5_free_unparsed_name(context
, ktprinc
);
595 krb5_free_unparsed_name(context
, ktprinc
);
598 smb_krb5_kt_free_entry(context
, &kt_entry
);
599 ZERO_STRUCT(kt_entry
);
602 for (i
= 0; oldEntries
[i
]; i
++) {
603 ret
|= ads_keytab_add_entry(ads
, oldEntries
[i
]);
604 krb5_free_unparsed_name(context
, oldEntries
[i
]);
606 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
612 SAFE_FREE(oldEntries
);
615 krb5_keytab_entry zero_kt_entry
;
616 ZERO_STRUCT(zero_kt_entry
);
617 if (memcmp(&zero_kt_entry
, &kt_entry
, sizeof(krb5_keytab_entry
))) {
618 smb_krb5_kt_free_entry(context
, &kt_entry
);
622 krb5_kt_cursor zero_csr
;
623 ZERO_STRUCT(zero_csr
);
624 if ((memcmp(&cursor
, &zero_csr
, sizeof(krb5_kt_cursor
)) != 0) && keytab
) {
625 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
629 krb5_kt_close(context
, keytab
);
632 krb5_free_context(context
);
636 #endif /* HAVE_KRB5 */