_netr_LogonSamLogon: fix lm session key length.
[Samba.git] / source / libads / kerberos_keytab.c
blobd0161ada011a89bf6902aa500a6098b7aaefb908
1 /*
2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
12 Copyright (C) Gerald Carter 2006
14 This program is free software; you can redistribute it and/or modify
15 it under the terms of the GNU General Public License as published by
16 the Free Software Foundation; either version 3 of the License, or
17 (at your option) any later version.
19 This program is distributed in the hope that it will be useful,
20 but WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 GNU General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #include "includes.h"
30 #ifdef HAVE_KRB5
32 /**********************************************************************
33 **********************************************************************/
35 static int smb_krb5_kt_add_entry( krb5_context context, krb5_keytab keytab,
36 krb5_kvno kvno, const char *princ_s,
37 krb5_enctype *enctypes, krb5_data password )
39 krb5_error_code ret = 0;
40 krb5_kt_cursor cursor;
41 krb5_keytab_entry kt_entry;
42 krb5_principal princ = NULL;
43 int i;
44 char *ktprinc = NULL;
46 ZERO_STRUCT(kt_entry);
47 ZERO_STRUCT(cursor);
49 ret = smb_krb5_parse_name(context, princ_s, &princ);
50 if (ret) {
51 DEBUG(1,("smb_krb5_kt_add_entry: smb_krb5_parse_name(%s) failed (%s)\n", princ_s, error_message(ret)));
52 goto out;
55 /* Seek and delete old keytab entries */
56 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
57 if (ret != KRB5_KT_END && ret != ENOENT ) {
58 DEBUG(3,("smb_krb5_kt_add_entry: Will try to delete old keytab entries\n"));
59 while(!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
60 bool compare_name_ok = False;
62 ret = smb_krb5_unparse_name(context, kt_entry.principal, &ktprinc);
63 if (ret) {
64 DEBUG(1,("smb_krb5_kt_add_entry: smb_krb5_unparse_name failed (%s)\n",
65 error_message(ret)));
66 goto out;
69 /*---------------------------------------------------------------------------
70 * Save the entries with kvno - 1. This is what microsoft does
71 * to allow people with existing sessions that have kvno - 1 to still
72 * work. Otherwise, when the password for the machine changes, all
73 * kerberizied sessions will 'break' until either the client reboots or
74 * the client's session key expires and they get a new session ticket
75 * with the new kvno.
78 #ifdef HAVE_KRB5_KT_COMPARE
79 compare_name_ok = (krb5_kt_compare(context, &kt_entry, princ, 0, 0) == True);
80 #else
81 compare_name_ok = (strcmp(ktprinc, princ_s) == 0);
82 #endif
84 if (!compare_name_ok) {
85 DEBUG(10,("smb_krb5_kt_add_entry: ignoring keytab entry principal %s, kvno = %d\n",
86 ktprinc, kt_entry.vno));
89 SAFE_FREE(ktprinc);
91 if (compare_name_ok) {
92 if (kt_entry.vno == kvno - 1) {
93 DEBUG(5,("smb_krb5_kt_add_entry: Saving previous (kvno %d) entry for principal: %s.\n",
94 kvno - 1, princ_s));
95 } else {
97 DEBUG(5,("smb_krb5_kt_add_entry: Found old entry for principal: %s (kvno %d) - trying to remove it.\n",
98 princ_s, kt_entry.vno));
99 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
100 ZERO_STRUCT(cursor);
101 if (ret) {
102 DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_end_seq_get() failed (%s)\n",
103 error_message(ret)));
104 goto out;
106 ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
107 if (ret) {
108 DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_remove_entry failed (%s)\n",
109 error_message(ret)));
110 goto out;
113 DEBUG(5,("smb_krb5_kt_add_entry: removed old entry for principal: %s (kvno %d).\n",
114 princ_s, kt_entry.vno));
116 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
117 if (ret) {
118 DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_start_seq failed (%s)\n",
119 error_message(ret)));
120 goto out;
122 ret = smb_krb5_kt_free_entry(context, &kt_entry);
123 ZERO_STRUCT(kt_entry);
124 if (ret) {
125 DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_remove_entry failed (%s)\n",
126 error_message(ret)));
127 goto out;
129 continue;
133 /* Not a match, just free this entry and continue. */
134 ret = smb_krb5_kt_free_entry(context, &kt_entry);
135 ZERO_STRUCT(kt_entry);
136 if (ret) {
137 DEBUG(1,("smb_krb5_kt_add_entry: smb_krb5_kt_free_entry failed (%s)\n", error_message(ret)));
138 goto out;
142 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
143 ZERO_STRUCT(cursor);
144 if (ret) {
145 DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_end_seq_get failed (%s)\n",error_message(ret)));
146 goto out;
150 /* Ensure we don't double free. */
151 ZERO_STRUCT(kt_entry);
152 ZERO_STRUCT(cursor);
154 /* If we get here, we have deleted all the old entries with kvno's not equal to the current kvno-1. */
156 /* Now add keytab entries for all encryption types */
157 for (i = 0; enctypes[i]; i++) {
158 krb5_keyblock *keyp;
160 #if !defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) && !defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK)
161 #error krb5_keytab_entry has no key or keyblock member
162 #endif
163 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
164 keyp = &kt_entry.key;
165 #endif
166 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
167 keyp = &kt_entry.keyblock;
168 #endif
169 if (create_kerberos_key_from_string(context, princ, &password, keyp, enctypes[i])) {
170 continue;
173 kt_entry.principal = princ;
174 kt_entry.vno = kvno;
176 DEBUG(3,("smb_krb5_kt_add_entry: adding keytab entry for (%s) with encryption type (%d) and version (%d)\n",
177 princ_s, enctypes[i], kt_entry.vno));
178 ret = krb5_kt_add_entry(context, keytab, &kt_entry);
179 krb5_free_keyblock_contents(context, keyp);
180 ZERO_STRUCT(kt_entry);
181 if (ret) {
182 DEBUG(1,("smb_krb5_kt_add_entry: adding entry to keytab failed (%s)\n", error_message(ret)));
183 goto out;
188 out:
190 krb5_keytab_entry zero_kt_entry;
191 ZERO_STRUCT(zero_kt_entry);
192 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
193 smb_krb5_kt_free_entry(context, &kt_entry);
196 if (princ) {
197 krb5_free_principal(context, princ);
201 krb5_kt_cursor zero_csr;
202 ZERO_STRUCT(zero_csr);
203 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
204 krb5_kt_end_seq_get(context, keytab, &cursor);
208 return (int)ret;
212 /**********************************************************************
213 Adds a single service principal, i.e. 'host' to the system keytab
214 ***********************************************************************/
216 int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
218 krb5_error_code ret = 0;
219 krb5_context context = NULL;
220 krb5_keytab keytab = NULL;
221 krb5_data password;
222 krb5_kvno kvno;
223 krb5_enctype enctypes[4] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, 0, 0 };
224 char *princ_s = NULL, *short_princ_s = NULL;
225 char *password_s = NULL;
226 char *my_fqdn;
227 TALLOC_CTX *ctx = NULL;
228 char *machine_name;
230 #if defined(ENCTYPE_ARCFOUR_HMAC)
231 enctypes[2] = ENCTYPE_ARCFOUR_HMAC;
232 #endif
234 initialize_krb5_error_table();
235 ret = krb5_init_context(&context);
236 if (ret) {
237 DEBUG(1,("ads_keytab_add_entry: could not krb5_init_context: %s\n",error_message(ret)));
238 return -1;
241 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
242 if (ret) {
243 DEBUG(1,("ads_keytab_add_entry: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
244 goto out;
247 /* retrieve the password */
248 if (!secrets_init()) {
249 DEBUG(1,("ads_keytab_add_entry: secrets_init failed\n"));
250 ret = -1;
251 goto out;
253 password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
254 if (!password_s) {
255 DEBUG(1,("ads_keytab_add_entry: failed to fetch machine password\n"));
256 ret = -1;
257 goto out;
259 password.data = password_s;
260 password.length = strlen(password_s);
262 /* we need the dNSHostName value here */
264 if ( (ctx = talloc_init("ads_keytab_add_entry")) == NULL ) {
265 DEBUG(0,("ads_keytab_add_entry: talloc() failed!\n"));
266 ret = -1;
267 goto out;
270 if ( (my_fqdn = ads_get_dnshostname( ads, ctx, global_myname())) == NULL ) {
271 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's dns name in AD!\n"));
272 ret = -1;
273 goto out;
276 if ( (machine_name = ads_get_samaccountname( ads, ctx, global_myname())) == NULL ) {
277 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's short name in AD!\n"));
278 ret = -1;
279 goto out;
281 /*strip the trailing '$' */
282 machine_name[strlen(machine_name)-1] = '\0';
284 /* Construct our principal */
286 if (strchr_m(srvPrinc, '@')) {
287 /* It's a fully-named principal. */
288 asprintf(&princ_s, "%s", srvPrinc);
289 } else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
290 /* It's the machine account, as used by smbclient clients. */
291 asprintf(&princ_s, "%s@%s", srvPrinc, lp_realm());
292 } else {
293 /* It's a normal service principal. Add the SPN now so that we
294 * can obtain credentials for it and double-check the salt value
295 * used to generate the service's keys. */
297 asprintf(&princ_s, "%s/%s@%s", srvPrinc, my_fqdn, lp_realm());
298 asprintf(&short_princ_s, "%s/%s@%s", srvPrinc, machine_name, lp_realm());
300 /* According to http://support.microsoft.com/kb/326985/en-us,
301 certain principal names are automatically mapped to the host/...
302 principal in the AD account. So only create these in the
303 keytab, not in AD. --jerry */
305 if ( !strequal( srvPrinc, "cifs" ) && !strequal(srvPrinc, "host" ) ) {
306 DEBUG(3,("ads_keytab_add_entry: Attempting to add/update '%s'\n", princ_s));
308 if (!ADS_ERR_OK(ads_add_service_principal_name(ads, global_myname(), my_fqdn, srvPrinc))) {
309 DEBUG(1,("ads_keytab_add_entry: ads_add_service_principal_name failed.\n"));
310 goto out;
315 kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
316 if (kvno == -1) { /* -1 indicates failure, everything else is OK */
317 DEBUG(1,("ads_keytab_add_entry: ads_get_kvno failed to determine the system's kvno.\n"));
318 ret = -1;
319 goto out;
322 /* add the fqdn principal to the keytab */
324 ret = smb_krb5_kt_add_entry( context, keytab, kvno, princ_s, enctypes, password );
325 if ( ret ) {
326 DEBUG(1,("ads_keytab_add_entry: Failed to add entry to keytab file\n"));
327 goto out;
330 /* add the short principal name if we have one */
332 if ( short_princ_s ) {
333 ret = smb_krb5_kt_add_entry( context, keytab, kvno, short_princ_s, enctypes, password );
334 if ( ret ) {
335 DEBUG(1,("ads_keytab_add_entry: Failed to add short entry to keytab file\n"));
336 goto out;
340 out:
341 SAFE_FREE( princ_s );
342 SAFE_FREE( short_princ_s );
343 TALLOC_FREE( ctx );
345 if (keytab) {
346 krb5_kt_close(context, keytab);
348 if (context) {
349 krb5_free_context(context);
351 return (int)ret;
354 /**********************************************************************
355 Flushes all entries from the system keytab.
356 ***********************************************************************/
358 int ads_keytab_flush(ADS_STRUCT *ads)
360 krb5_error_code ret = 0;
361 krb5_context context = NULL;
362 krb5_keytab keytab = NULL;
363 krb5_kt_cursor cursor;
364 krb5_keytab_entry kt_entry;
365 krb5_kvno kvno;
367 ZERO_STRUCT(kt_entry);
368 ZERO_STRUCT(cursor);
370 initialize_krb5_error_table();
371 ret = krb5_init_context(&context);
372 if (ret) {
373 DEBUG(1,("ads_keytab_flush: could not krb5_init_context: %s\n",error_message(ret)));
374 return ret;
377 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
378 if (ret) {
379 DEBUG(1,("ads_keytab_flush: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
380 goto out;
383 kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
384 if (kvno == -1) { /* -1 indicates a failure */
385 DEBUG(1,("ads_keytab_flush: Error determining the system's kvno.\n"));
386 goto out;
389 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
390 if (ret != KRB5_KT_END && ret != ENOENT) {
391 while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
392 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
393 ZERO_STRUCT(cursor);
394 if (ret) {
395 DEBUG(1,("ads_keytab_flush: krb5_kt_end_seq_get() failed (%s)\n",error_message(ret)));
396 goto out;
398 ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
399 if (ret) {
400 DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
401 goto out;
403 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
404 if (ret) {
405 DEBUG(1,("ads_keytab_flush: krb5_kt_start_seq failed (%s)\n",error_message(ret)));
406 goto out;
408 ret = smb_krb5_kt_free_entry(context, &kt_entry);
409 ZERO_STRUCT(kt_entry);
410 if (ret) {
411 DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
412 goto out;
417 /* Ensure we don't double free. */
418 ZERO_STRUCT(kt_entry);
419 ZERO_STRUCT(cursor);
421 if (!ADS_ERR_OK(ads_clear_service_principal_names(ads, global_myname()))) {
422 DEBUG(1,("ads_keytab_flush: Error while clearing service principal listings in LDAP.\n"));
423 goto out;
426 out:
429 krb5_keytab_entry zero_kt_entry;
430 ZERO_STRUCT(zero_kt_entry);
431 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
432 smb_krb5_kt_free_entry(context, &kt_entry);
436 krb5_kt_cursor zero_csr;
437 ZERO_STRUCT(zero_csr);
438 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
439 krb5_kt_end_seq_get(context, keytab, &cursor);
442 if (keytab) {
443 krb5_kt_close(context, keytab);
445 if (context) {
446 krb5_free_context(context);
448 return ret;
451 /**********************************************************************
452 Adds all the required service principals to the system keytab.
453 ***********************************************************************/
455 int ads_keytab_create_default(ADS_STRUCT *ads)
457 krb5_error_code ret = 0;
458 krb5_context context = NULL;
459 krb5_keytab keytab = NULL;
460 krb5_kt_cursor cursor;
461 krb5_keytab_entry kt_entry;
462 krb5_kvno kvno;
463 int i, found = 0;
464 char *sam_account_name, *upn;
465 char **oldEntries = NULL, *princ_s[26];
466 TALLOC_CTX *ctx = NULL;
467 fstring machine_name;
469 memset(princ_s, '\0', sizeof(princ_s));
471 fstrcpy( machine_name, global_myname() );
473 /* these are the main ones we need */
475 if ( (ret = ads_keytab_add_entry(ads, "host") ) != 0 ) {
476 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.\n"));
477 return ret;
481 #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
482 really needs them and we will fall back to verifying against secrets.tdb */
484 if ( (ret = ads_keytab_add_entry(ads, "cifs")) != 0 ) {
485 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'cifs'.\n"));
486 return ret;
488 #endif
490 if ( (ctx = talloc_init("ads_keytab_create_default")) == NULL ) {
491 DEBUG(0,("ads_keytab_create_default: talloc() failed!\n"));
492 return -1;
495 /* now add the userPrincipalName and sAMAccountName entries */
497 if ( (sam_account_name = ads_get_samaccountname( ads, ctx, machine_name)) == NULL ) {
498 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's name in AD!\n"));
499 TALLOC_FREE( ctx );
500 return -1;
503 /* upper case the sAMAccountName to make it easier for apps to
504 know what case to use in the keytab file */
506 strupper_m( sam_account_name );
508 if ( (ret = ads_keytab_add_entry(ads, sam_account_name )) != 0 ) {
509 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding sAMAccountName (%s)\n",
510 sam_account_name));
511 return ret;
514 /* remember that not every machine account will have a upn */
516 upn = ads_get_upn( ads, ctx, machine_name);
517 if ( upn ) {
518 if ( (ret = ads_keytab_add_entry(ads, upn)) != 0 ) {
519 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding UPN (%s)\n",
520 upn));
521 TALLOC_FREE( ctx );
522 return ret;
526 TALLOC_FREE( ctx );
528 /* Now loop through the keytab and update any other existing entries... */
530 kvno = (krb5_kvno) ads_get_kvno(ads, machine_name);
531 if (kvno == -1) {
532 DEBUG(1,("ads_keytab_create_default: ads_get_kvno failed to determine the system's kvno.\n"));
533 return -1;
536 DEBUG(3,("ads_keytab_create_default: Searching for keytab entries to "
537 "preserve and update.\n"));
539 ZERO_STRUCT(kt_entry);
540 ZERO_STRUCT(cursor);
542 initialize_krb5_error_table();
543 ret = krb5_init_context(&context);
544 if (ret) {
545 DEBUG(1,("ads_keytab_create_default: could not krb5_init_context: %s\n",error_message(ret)));
546 return ret;
549 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
550 if (ret) {
551 DEBUG(1,("ads_keytab_create_default: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
552 goto done;
555 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
556 if (ret != KRB5_KT_END && ret != ENOENT ) {
557 while ((ret = krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) == 0) {
558 smb_krb5_kt_free_entry(context, &kt_entry);
559 ZERO_STRUCT(kt_entry);
560 found++;
563 krb5_kt_end_seq_get(context, keytab, &cursor);
564 ZERO_STRUCT(cursor);
567 * Hmmm. There is no "rewind" function for the keytab. This means we have a race condition
568 * where someone else could add entries after we've counted them. Re-open asap to minimise
569 * the race. JRA.
572 DEBUG(3, ("ads_keytab_create_default: Found %d entries in the keytab.\n", found));
573 if (!found) {
574 goto done;
576 oldEntries = SMB_MALLOC_ARRAY(char *, found );
577 if (!oldEntries) {
578 DEBUG(1,("ads_keytab_create_default: Failed to allocate space to store the old keytab entries (malloc failed?).\n"));
579 ret = -1;
580 goto done;
582 memset(oldEntries, '\0', found * sizeof(char *));
584 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
585 if (ret != KRB5_KT_END && ret != ENOENT ) {
586 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
587 if (kt_entry.vno != kvno) {
588 char *ktprinc = NULL;
589 char *p;
591 /* This returns a malloc'ed string in ktprinc. */
592 ret = smb_krb5_unparse_name(context, kt_entry.principal, &ktprinc);
593 if (ret) {
594 DEBUG(1,("smb_krb5_unparse_name failed (%s)\n", error_message(ret)));
595 goto done;
598 * From looking at the krb5 source they don't seem to take locale
599 * or mb strings into account. Maybe this is because they assume utf8 ?
600 * In this case we may need to convert from utf8 to mb charset here ? JRA.
602 p = strchr_m(ktprinc, '@');
603 if (p) {
604 *p = '\0';
607 p = strchr_m(ktprinc, '/');
608 if (p) {
609 *p = '\0';
611 for (i = 0; i < found; i++) {
612 if (!oldEntries[i]) {
613 oldEntries[i] = ktprinc;
614 break;
616 if (!strcmp(oldEntries[i], ktprinc)) {
617 SAFE_FREE(ktprinc);
618 break;
621 if (i == found) {
622 SAFE_FREE(ktprinc);
625 smb_krb5_kt_free_entry(context, &kt_entry);
626 ZERO_STRUCT(kt_entry);
628 ret = 0;
629 for (i = 0; oldEntries[i]; i++) {
630 ret |= ads_keytab_add_entry(ads, oldEntries[i]);
631 SAFE_FREE(oldEntries[i]);
633 krb5_kt_end_seq_get(context, keytab, &cursor);
635 ZERO_STRUCT(cursor);
637 done:
639 SAFE_FREE(oldEntries);
642 krb5_keytab_entry zero_kt_entry;
643 ZERO_STRUCT(zero_kt_entry);
644 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
645 smb_krb5_kt_free_entry(context, &kt_entry);
649 krb5_kt_cursor zero_csr;
650 ZERO_STRUCT(zero_csr);
651 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
652 krb5_kt_end_seq_get(context, keytab, &cursor);
655 if (keytab) {
656 krb5_kt_close(context, keytab);
658 if (context) {
659 krb5_free_context(context);
661 return ret;
664 /**********************************************************************
665 List system keytab.
666 ***********************************************************************/
668 int ads_keytab_list(const char *keytab_name)
670 krb5_error_code ret = 0;
671 krb5_context context = NULL;
672 krb5_keytab keytab = NULL;
673 krb5_kt_cursor cursor;
674 krb5_keytab_entry kt_entry;
676 ZERO_STRUCT(kt_entry);
677 ZERO_STRUCT(cursor);
679 initialize_krb5_error_table();
680 ret = krb5_init_context(&context);
681 if (ret) {
682 DEBUG(1,("ads_keytab_list: could not krb5_init_context: %s\n",error_message(ret)));
683 return ret;
686 ret = smb_krb5_open_keytab(context, keytab_name, False, &keytab);
687 if (ret) {
688 DEBUG(1,("ads_keytab_list: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
689 goto out;
692 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
693 if (ret) {
694 goto out;
697 printf("Vno Type Principal\n");
699 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
701 char *princ_s = NULL;
702 char *etype_s = NULL;
703 krb5_enctype enctype = 0;
705 ret = smb_krb5_unparse_name(context, kt_entry.principal, &princ_s);
706 if (ret) {
707 goto out;
710 enctype = smb_get_enctype_from_kt_entry(&kt_entry);
712 ret = smb_krb5_enctype_to_string(context, enctype, &etype_s);
713 if (ret) {
714 SAFE_FREE(princ_s);
715 goto out;
718 printf("%3d %s\t\t %s\n", kt_entry.vno, etype_s, princ_s);
720 SAFE_FREE(princ_s);
721 SAFE_FREE(etype_s);
723 ret = smb_krb5_kt_free_entry(context, &kt_entry);
724 if (ret) {
725 goto out;
729 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
730 if (ret) {
731 goto out;
734 /* Ensure we don't double free. */
735 ZERO_STRUCT(kt_entry);
736 ZERO_STRUCT(cursor);
737 out:
740 krb5_keytab_entry zero_kt_entry;
741 ZERO_STRUCT(zero_kt_entry);
742 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
743 smb_krb5_kt_free_entry(context, &kt_entry);
747 krb5_kt_cursor zero_csr;
748 ZERO_STRUCT(zero_csr);
749 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
750 krb5_kt_end_seq_get(context, keytab, &cursor);
754 if (keytab) {
755 krb5_kt_close(context, keytab);
757 if (context) {
758 krb5_free_context(context);
760 return ret;
763 #endif /* HAVE_KRB5 */