2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003,2007
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
12 Copyright (C) Gerald Carter 2006
14 This program is free software; you can redistribute it and/or modify
15 it under the terms of the GNU General Public License as published by
16 the Free Software Foundation; either version 2 of the License, or
17 (at your option) any later version.
19 This program is distributed in the hope that it will be useful,
20 but WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 GNU General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program; if not, write to the Free Software
26 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
33 /* This MAX_NAME_LEN is a constant defined in krb5.h */
34 #ifndef MAX_KEYTAB_NAME_LEN
35 #define MAX_KEYTAB_NAME_LEN 1100
38 /**********************************************************************
39 * Open a krb5 keytab with flags, handles readonly or readwrite access and
40 * allows to process non-default keytab names.
41 * @param context krb5_context
42 * @param keytab_name_req string
43 * @param write_access BOOL if writable keytab is required
44 * @param krb5_keytab pointer to krb5_keytab (close with krb5_kt_close())
45 * @return krb5_error_code
46 **********************************************************************/
48 krb5_error_code
smb_krb5_open_keytab(krb5_context context
,
49 const char *keytab_name_req
,
53 krb5_error_code ret
= 0;
55 char keytab_string
[MAX_KEYTAB_NAME_LEN
];
56 BOOL found_valid_name
= False
;
57 const char *pragma
= "FILE";
58 const char *tmp
= NULL
;
60 if (!write_access
&& !keytab_name_req
) {
61 /* caller just wants to read the default keytab readonly, so be it */
62 return krb5_kt_default(context
, keytab
);
65 mem_ctx
= talloc_init("smb_krb5_open_keytab");
70 #ifdef HAVE_WRFILE_KEYTAB
76 if (keytab_name_req
) {
78 if (strlen(keytab_name_req
) > MAX_KEYTAB_NAME_LEN
) {
79 ret
= KRB5_CONFIG_NOTENUFSPACE
;
83 if ((strncmp(keytab_name_req
, "WRFILE:/", 8) == 0) ||
84 (strncmp(keytab_name_req
, "FILE:/", 6) == 0)) {
85 tmp
= keytab_name_req
;
89 if (keytab_name_req
[0] != '/') {
90 ret
= KRB5_KT_BADNAME
;
94 tmp
= talloc_asprintf(mem_ctx
, "%s:%s", pragma
, keytab_name_req
);
103 /* we need to handle more complex keytab_strings, like:
104 * "ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab" */
106 ret
= krb5_kt_default_name(context
, &keytab_string
[0], MAX_KEYTAB_NAME_LEN
- 2);
111 DEBUG(10,("smb_krb5_open_keytab: krb5_kt_default_name returned %s\n", keytab_string
));
113 tmp
= talloc_strdup(mem_ctx
, keytab_string
);
119 if (strncmp(tmp
, "ANY:", 4) == 0) {
123 memset(&keytab_string
, '\0', sizeof(keytab_string
));
125 while (next_token(&tmp
, keytab_string
, ",", sizeof(keytab_string
))) {
127 if (strncmp(keytab_string
, "WRFILE:", 7) == 0) {
128 found_valid_name
= True
;
133 if (strncmp(keytab_string
, "FILE:", 5) == 0) {
134 found_valid_name
= True
;
139 if (found_valid_name
) {
142 ret
= KRB5_KT_BADNAME
;
146 tmp
= talloc_asprintf(mem_ctx
, "%s:%s", pragma
, tmp
);
155 if (!found_valid_name
) {
156 ret
= KRB5_KT_UNKNOWN_TYPE
;
161 DEBUG(10,("smb_krb5_open_keytab: resolving: %s\n", tmp
));
162 ret
= krb5_kt_resolve(context
, tmp
, keytab
);
165 TALLOC_FREE(mem_ctx
);
169 /**********************************************************************
170 **********************************************************************/
172 static int smb_krb5_kt_add_entry( krb5_context context
, krb5_keytab keytab
,
173 krb5_kvno kvno
, const char *princ_s
,
174 krb5_enctype
*enctypes
, krb5_data password
)
176 krb5_error_code ret
= 0;
177 krb5_kt_cursor cursor
;
178 krb5_keytab_entry kt_entry
;
179 krb5_principal princ
= NULL
;
181 char *ktprinc
= NULL
;
183 ZERO_STRUCT(kt_entry
);
186 ret
= smb_krb5_parse_name(context
, princ_s
, &princ
);
188 DEBUG(1,("smb_krb5_kt_add_entry: smb_krb5_parse_name(%s) failed (%s)\n", princ_s
, error_message(ret
)));
192 /* Seek and delete old keytab entries */
193 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
194 if (ret
!= KRB5_KT_END
&& ret
!= ENOENT
) {
195 DEBUG(3,("smb_krb5_kt_add_entry: Will try to delete old keytab entries\n"));
196 while(!krb5_kt_next_entry(context
, keytab
, &kt_entry
, &cursor
)) {
197 BOOL compare_name_ok
= False
;
199 ret
= smb_krb5_unparse_name(context
, kt_entry
.principal
, &ktprinc
);
201 DEBUG(1,("smb_krb5_kt_add_entry: smb_krb5_unparse_name failed (%s)\n",
202 error_message(ret
)));
206 /*---------------------------------------------------------------------------
207 * Save the entries with kvno - 1. This is what microsoft does
208 * to allow people with existing sessions that have kvno - 1 to still
209 * work. Otherwise, when the password for the machine changes, all
210 * kerberizied sessions will 'break' until either the client reboots or
211 * the client's session key expires and they get a new session ticket
215 #ifdef HAVE_KRB5_KT_COMPARE
216 compare_name_ok
= (krb5_kt_compare(context
, &kt_entry
, princ
, 0, 0) == True
);
218 compare_name_ok
= (strcmp(ktprinc
, princ_s
) == 0);
221 if (!compare_name_ok
) {
222 DEBUG(10,("smb_krb5_kt_add_entry: ignoring keytab entry principal %s, kvno = %d\n",
223 ktprinc
, kt_entry
.vno
));
228 if (compare_name_ok
) {
229 if (kt_entry
.vno
== kvno
- 1) {
230 DEBUG(5,("smb_krb5_kt_add_entry: Saving previous (kvno %d) entry for principal: %s.\n",
234 DEBUG(5,("smb_krb5_kt_add_entry: Found old entry for principal: %s (kvno %d) - trying to remove it.\n",
235 princ_s
, kt_entry
.vno
));
236 ret
= krb5_kt_end_seq_get(context
, keytab
, &cursor
);
239 DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_end_seq_get() failed (%s)\n",
240 error_message(ret
)));
243 ret
= krb5_kt_remove_entry(context
, keytab
, &kt_entry
);
245 DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_remove_entry failed (%s)\n",
246 error_message(ret
)));
250 DEBUG(5,("smb_krb5_kt_add_entry: removed old entry for principal: %s (kvno %d).\n",
251 princ_s
, kt_entry
.vno
));
253 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
255 DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_start_seq failed (%s)\n",
256 error_message(ret
)));
259 ret
= smb_krb5_kt_free_entry(context
, &kt_entry
);
260 ZERO_STRUCT(kt_entry
);
262 DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_remove_entry failed (%s)\n",
263 error_message(ret
)));
270 /* Not a match, just free this entry and continue. */
271 ret
= smb_krb5_kt_free_entry(context
, &kt_entry
);
272 ZERO_STRUCT(kt_entry
);
274 DEBUG(1,("smb_krb5_kt_add_entry: smb_krb5_kt_free_entry failed (%s)\n", error_message(ret
)));
279 ret
= krb5_kt_end_seq_get(context
, keytab
, &cursor
);
282 DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_end_seq_get failed (%s)\n",error_message(ret
)));
287 /* Ensure we don't double free. */
288 ZERO_STRUCT(kt_entry
);
291 /* If we get here, we have deleted all the old entries with kvno's not equal to the current kvno-1. */
293 /* Now add keytab entries for all encryption types */
294 for (i
= 0; enctypes
[i
]; i
++) {
297 #if !defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) && !defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK)
298 #error krb5_keytab_entry has no key or keyblock member
300 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
301 keyp
= &kt_entry
.key
;
303 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
304 keyp
= &kt_entry
.keyblock
;
306 if (create_kerberos_key_from_string(context
, princ
, &password
, keyp
, enctypes
[i
])) {
310 kt_entry
.principal
= princ
;
313 DEBUG(3,("smb_krb5_kt_add_entry: adding keytab entry for (%s) with encryption type (%d) and version (%d)\n",
314 princ_s
, enctypes
[i
], kt_entry
.vno
));
315 ret
= krb5_kt_add_entry(context
, keytab
, &kt_entry
);
316 krb5_free_keyblock_contents(context
, keyp
);
317 ZERO_STRUCT(kt_entry
);
319 DEBUG(1,("smb_krb5_kt_add_entry: adding entry to keytab failed (%s)\n", error_message(ret
)));
327 krb5_keytab_entry zero_kt_entry
;
328 ZERO_STRUCT(zero_kt_entry
);
329 if (memcmp(&zero_kt_entry
, &kt_entry
, sizeof(krb5_keytab_entry
))) {
330 smb_krb5_kt_free_entry(context
, &kt_entry
);
334 krb5_free_principal(context
, princ
);
338 krb5_kt_cursor zero_csr
;
339 ZERO_STRUCT(zero_csr
);
340 if ((memcmp(&cursor
, &zero_csr
, sizeof(krb5_kt_cursor
)) != 0) && keytab
) {
341 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
349 /**********************************************************************
350 Adds a single service principal, i.e. 'host' to the system keytab
351 ***********************************************************************/
353 int ads_keytab_add_entry(ADS_STRUCT
*ads
, const char *srvPrinc
)
355 krb5_error_code ret
= 0;
356 krb5_context context
= NULL
;
357 krb5_keytab keytab
= NULL
;
360 krb5_enctype enctypes
[4] = { ENCTYPE_DES_CBC_CRC
, ENCTYPE_DES_CBC_MD5
, 0, 0 };
361 char *princ_s
= NULL
, *short_princ_s
= NULL
;
362 char *password_s
= NULL
;
364 TALLOC_CTX
*ctx
= NULL
;
367 #if defined(ENCTYPE_ARCFOUR_HMAC)
368 enctypes
[2] = ENCTYPE_ARCFOUR_HMAC
;
371 initialize_krb5_error_table();
372 ret
= krb5_init_context(&context
);
374 DEBUG(1,("ads_keytab_add_entry: could not krb5_init_context: %s\n",error_message(ret
)));
378 ret
= smb_krb5_open_keytab(context
, NULL
, True
, &keytab
);
380 DEBUG(1,("ads_keytab_add_entry: smb_krb5_open_keytab failed (%s)\n", error_message(ret
)));
384 /* retrieve the password */
385 if (!secrets_init()) {
386 DEBUG(1,("ads_keytab_add_entry: secrets_init failed\n"));
390 password_s
= secrets_fetch_machine_password(lp_workgroup(), NULL
, NULL
);
392 DEBUG(1,("ads_keytab_add_entry: failed to fetch machine password\n"));
396 password
.data
= password_s
;
397 password
.length
= strlen(password_s
);
399 /* we need the dNSHostName value here */
401 if ( (ctx
= talloc_init("ads_keytab_add_entry")) == NULL
) {
402 DEBUG(0,("ads_keytab_add_entry: talloc() failed!\n"));
407 if ( (my_fqdn
= ads_get_dnshostname( ads
, ctx
, global_myname())) == NULL
) {
408 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's dns name in AD!\n"));
413 if ( (machine_name
= ads_get_samaccountname( ads
, ctx
, global_myname())) == NULL
) {
414 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's short name in AD!\n"));
418 /*strip the trailing '$' */
419 machine_name
[strlen(machine_name
)-1] = '\0';
421 /* Construct our principal */
423 if (strchr_m(srvPrinc
, '@')) {
424 /* It's a fully-named principal. */
425 asprintf(&princ_s
, "%s", srvPrinc
);
426 } else if (srvPrinc
[strlen(srvPrinc
)-1] == '$') {
427 /* It's the machine account, as used by smbclient clients. */
428 asprintf(&princ_s
, "%s@%s", srvPrinc
, lp_realm());
430 /* It's a normal service principal. Add the SPN now so that we
431 * can obtain credentials for it and double-check the salt value
432 * used to generate the service's keys. */
434 asprintf(&princ_s
, "%s/%s@%s", srvPrinc
, my_fqdn
, lp_realm());
435 asprintf(&short_princ_s
, "%s/%s@%s", srvPrinc
, machine_name
, lp_realm());
437 /* According to http://support.microsoft.com/kb/326985/en-us,
438 certain principal names are automatically mapped to the host/...
439 principal in the AD account. So only create these in the
440 keytab, not in AD. --jerry */
442 if ( !strequal( srvPrinc
, "cifs" ) && !strequal(srvPrinc
, "host" ) ) {
443 DEBUG(3,("ads_keytab_add_entry: Attempting to add/update '%s'\n", princ_s
));
445 if (!ADS_ERR_OK(ads_add_service_principal_name(ads
, global_myname(), my_fqdn
, srvPrinc
))) {
446 DEBUG(1,("ads_keytab_add_entry: ads_add_service_principal_name failed.\n"));
452 kvno
= (krb5_kvno
) ads_get_kvno(ads
, global_myname());
453 if (kvno
== -1) { /* -1 indicates failure, everything else is OK */
454 DEBUG(1,("ads_keytab_add_entry: ads_get_kvno failed to determine the system's kvno.\n"));
459 /* add the fqdn principal to the keytab */
461 ret
= smb_krb5_kt_add_entry( context
, keytab
, kvno
, princ_s
, enctypes
, password
);
463 DEBUG(1,("ads_keytab_add_entry: Failed to add entry to keytab file\n"));
467 /* add the short principal name if we have one */
469 if ( short_princ_s
) {
470 ret
= smb_krb5_kt_add_entry( context
, keytab
, kvno
, short_princ_s
, enctypes
, password
);
472 DEBUG(1,("ads_keytab_add_entry: Failed to add short entry to keytab file\n"));
478 SAFE_FREE( princ_s
);
479 SAFE_FREE( short_princ_s
);
483 krb5_kt_close(context
, keytab
);
486 krb5_free_context(context
);
491 /**********************************************************************
492 Flushes all entries from the system keytab.
493 ***********************************************************************/
495 int ads_keytab_flush(ADS_STRUCT
*ads
)
497 krb5_error_code ret
= 0;
498 krb5_context context
= NULL
;
499 krb5_keytab keytab
= NULL
;
500 krb5_kt_cursor cursor
;
501 krb5_keytab_entry kt_entry
;
504 ZERO_STRUCT(kt_entry
);
507 initialize_krb5_error_table();
508 ret
= krb5_init_context(&context
);
510 DEBUG(1,("ads_keytab_flush: could not krb5_init_context: %s\n",error_message(ret
)));
514 ret
= smb_krb5_open_keytab(context
, NULL
, True
, &keytab
);
516 DEBUG(1,("ads_keytab_flush: smb_krb5_open_keytab failed (%s)\n", error_message(ret
)));
520 kvno
= (krb5_kvno
) ads_get_kvno(ads
, global_myname());
521 if (kvno
== -1) { /* -1 indicates a failure */
522 DEBUG(1,("ads_keytab_flush: Error determining the system's kvno.\n"));
526 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
527 if (ret
!= KRB5_KT_END
&& ret
!= ENOENT
) {
528 while (!krb5_kt_next_entry(context
, keytab
, &kt_entry
, &cursor
)) {
529 ret
= krb5_kt_end_seq_get(context
, keytab
, &cursor
);
532 DEBUG(1,("ads_keytab_flush: krb5_kt_end_seq_get() failed (%s)\n",error_message(ret
)));
535 ret
= krb5_kt_remove_entry(context
, keytab
, &kt_entry
);
537 DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret
)));
540 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
542 DEBUG(1,("ads_keytab_flush: krb5_kt_start_seq failed (%s)\n",error_message(ret
)));
545 ret
= smb_krb5_kt_free_entry(context
, &kt_entry
);
546 ZERO_STRUCT(kt_entry
);
548 DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret
)));
554 /* Ensure we don't double free. */
555 ZERO_STRUCT(kt_entry
);
558 if (!ADS_ERR_OK(ads_clear_service_principal_names(ads
, global_myname()))) {
559 DEBUG(1,("ads_keytab_flush: Error while clearing service principal listings in LDAP.\n"));
566 krb5_keytab_entry zero_kt_entry
;
567 ZERO_STRUCT(zero_kt_entry
);
568 if (memcmp(&zero_kt_entry
, &kt_entry
, sizeof(krb5_keytab_entry
))) {
569 smb_krb5_kt_free_entry(context
, &kt_entry
);
573 krb5_kt_cursor zero_csr
;
574 ZERO_STRUCT(zero_csr
);
575 if ((memcmp(&cursor
, &zero_csr
, sizeof(krb5_kt_cursor
)) != 0) && keytab
) {
576 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
580 krb5_kt_close(context
, keytab
);
583 krb5_free_context(context
);
588 /**********************************************************************
589 Adds all the required service principals to the system keytab.
590 ***********************************************************************/
592 int ads_keytab_create_default(ADS_STRUCT
*ads
)
594 krb5_error_code ret
= 0;
595 krb5_context context
= NULL
;
596 krb5_keytab keytab
= NULL
;
597 krb5_kt_cursor cursor
;
598 krb5_keytab_entry kt_entry
;
601 char *sam_account_name
, *upn
;
602 char **oldEntries
= NULL
, *princ_s
[26];
603 TALLOC_CTX
*ctx
= NULL
;
604 fstring machine_name
;
606 memset(princ_s
, '\0', sizeof(princ_s
));
608 fstrcpy( machine_name
, global_myname() );
610 /* these are the main ones we need */
612 if ( (ret
= ads_keytab_add_entry(ads
, "host") ) != 0 ) {
613 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.\n"));
618 #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
619 really needs them and we will fall back to verifying against secrets.tdb */
621 if ( (ret
= ads_keytab_add_entry(ads
, "cifs")) != 0 ) {
622 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'cifs'.\n"));
627 if ( (ctx
= talloc_init("ads_keytab_create_default")) == NULL
) {
628 DEBUG(0,("ads_keytab_create_default: talloc() failed!\n"));
632 /* now add the userPrincipalName and sAMAccountName entries */
634 if ( (sam_account_name
= ads_get_samaccountname( ads
, ctx
, machine_name
)) == NULL
) {
635 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's name in AD!\n"));
640 /* upper case the sAMAccountName to make it easier for apps to
641 know what case to use in the keytab file */
643 strupper_m( sam_account_name
);
645 if ( (ret
= ads_keytab_add_entry(ads
, sam_account_name
)) != 0 ) {
646 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding sAMAccountName (%s)\n",
651 /* remember that not every machine account will have a upn */
653 upn
= ads_get_upn( ads
, ctx
, machine_name
);
655 if ( (ret
= ads_keytab_add_entry(ads
, upn
)) != 0 ) {
656 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding UPN (%s)\n",
665 /* Now loop through the keytab and update any other existing entries... */
667 kvno
= (krb5_kvno
) ads_get_kvno(ads
, machine_name
);
669 DEBUG(1,("ads_keytab_create_default: ads_get_kvno failed to determine the system's kvno.\n"));
673 DEBUG(3,("ads_keytab_create_default: Searching for keytab entries to "
674 "preserve and update.\n"));
676 ZERO_STRUCT(kt_entry
);
679 initialize_krb5_error_table();
680 ret
= krb5_init_context(&context
);
682 DEBUG(1,("ads_keytab_create_default: could not krb5_init_context: %s\n",error_message(ret
)));
685 ret
= krb5_kt_default(context
, &keytab
);
687 DEBUG(1,("ads_keytab_create_default: krb5_kt_default failed (%s)\n",error_message(ret
)));
691 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
692 if (ret
!= KRB5_KT_END
&& ret
!= ENOENT
) {
693 while ((ret
= krb5_kt_next_entry(context
, keytab
, &kt_entry
, &cursor
)) == 0) {
694 smb_krb5_kt_free_entry(context
, &kt_entry
);
695 ZERO_STRUCT(kt_entry
);
699 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
703 * Hmmm. There is no "rewind" function for the keytab. This means we have a race condition
704 * where someone else could add entries after we've counted them. Re-open asap to minimise
708 DEBUG(3, ("ads_keytab_create_default: Found %d entries in the keytab.\n", found
));
712 oldEntries
= SMB_MALLOC_ARRAY(char *, found
);
714 DEBUG(1,("ads_keytab_create_default: Failed to allocate space to store the old keytab entries (malloc failed?).\n"));
718 memset(oldEntries
, '\0', found
* sizeof(char *));
720 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
721 if (ret
!= KRB5_KT_END
&& ret
!= ENOENT
) {
722 while (krb5_kt_next_entry(context
, keytab
, &kt_entry
, &cursor
) == 0) {
723 if (kt_entry
.vno
!= kvno
) {
724 char *ktprinc
= NULL
;
727 /* This returns a malloc'ed string in ktprinc. */
728 ret
= smb_krb5_unparse_name(context
, kt_entry
.principal
, &ktprinc
);
730 DEBUG(1,("smb_krb5_unparse_name failed (%s)\n", error_message(ret
)));
734 * From looking at the krb5 source they don't seem to take locale
735 * or mb strings into account. Maybe this is because they assume utf8 ?
736 * In this case we may need to convert from utf8 to mb charset here ? JRA.
738 p
= strchr_m(ktprinc
, '@');
743 p
= strchr_m(ktprinc
, '/');
747 for (i
= 0; i
< found
; i
++) {
748 if (!oldEntries
[i
]) {
749 oldEntries
[i
] = ktprinc
;
752 if (!strcmp(oldEntries
[i
], ktprinc
)) {
761 smb_krb5_kt_free_entry(context
, &kt_entry
);
762 ZERO_STRUCT(kt_entry
);
765 for (i
= 0; oldEntries
[i
]; i
++) {
766 ret
|= ads_keytab_add_entry(ads
, oldEntries
[i
]);
767 SAFE_FREE(oldEntries
[i
]);
769 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
775 SAFE_FREE(oldEntries
);
778 krb5_keytab_entry zero_kt_entry
;
779 ZERO_STRUCT(zero_kt_entry
);
780 if (memcmp(&zero_kt_entry
, &kt_entry
, sizeof(krb5_keytab_entry
))) {
781 smb_krb5_kt_free_entry(context
, &kt_entry
);
785 krb5_kt_cursor zero_csr
;
786 ZERO_STRUCT(zero_csr
);
787 if ((memcmp(&cursor
, &zero_csr
, sizeof(krb5_kt_cursor
)) != 0) && keytab
) {
788 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
792 krb5_kt_close(context
, keytab
);
795 krb5_free_context(context
);
800 /**********************************************************************
802 ***********************************************************************/
804 int ads_keytab_list(const char *keytab_name
)
806 krb5_error_code ret
= 0;
807 krb5_context context
= NULL
;
808 krb5_keytab keytab
= NULL
;
809 krb5_kt_cursor cursor
;
810 krb5_keytab_entry kt_entry
;
812 ZERO_STRUCT(kt_entry
);
815 initialize_krb5_error_table();
816 ret
= krb5_init_context(&context
);
818 DEBUG(1,("ads_keytab_list: could not krb5_init_context: %s\n",error_message(ret
)));
822 ret
= smb_krb5_open_keytab(context
, keytab_name
, False
, &keytab
);
824 DEBUG(1,("ads_keytab_list: smb_krb5_open_keytab failed (%s)\n", error_message(ret
)));
828 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
833 printf("Vno Type Principal\n");
835 while (krb5_kt_next_entry(context
, keytab
, &kt_entry
, &cursor
) == 0) {
837 char *princ_s
= NULL
;
838 char *etype_s
= NULL
;
839 krb5_enctype enctype
= 0;
841 ret
= smb_krb5_unparse_name(context
, kt_entry
.principal
, &princ_s
);
846 enctype
= smb_get_enctype_from_kt_entry(&kt_entry
);
848 ret
= smb_krb5_enctype_to_string(context
, enctype
, &etype_s
);
854 printf("%3d %s\t\t %s\n", kt_entry
.vno
, etype_s
, princ_s
);
859 ret
= smb_krb5_kt_free_entry(context
, &kt_entry
);
865 ret
= krb5_kt_end_seq_get(context
, keytab
, &cursor
);
870 /* Ensure we don't double free. */
871 ZERO_STRUCT(kt_entry
);
876 krb5_keytab_entry zero_kt_entry
;
877 ZERO_STRUCT(zero_kt_entry
);
878 if (memcmp(&zero_kt_entry
, &kt_entry
, sizeof(krb5_keytab_entry
))) {
879 smb_krb5_kt_free_entry(context
, &kt_entry
);
883 krb5_kt_cursor zero_csr
;
884 ZERO_STRUCT(zero_csr
);
885 if ((memcmp(&cursor
, &zero_csr
, sizeof(krb5_kt_cursor
)) != 0) && keytab
) {
886 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
891 krb5_kt_close(context
, keytab
);
894 krb5_free_context(context
);
899 #endif /* HAVE_KRB5 */