| blob | fa2a1261a2823f6d60a211e6bf53de588d51ac9e |
1 /*
2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
12 Copyright (C) Gerald Carter 2006
14 This program is free software; you can redistribute it and/or modify
15 it under the terms of the GNU General Public License as published by
16 the Free Software Foundation; either version 3 of the License, or
17 (at your option) any later version.
19 This program is distributed in the hope that it will be useful,
20 but WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 GNU General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 */
31 #ifdef HAVE_KRB5
33 /**********************************************************************
34 **********************************************************************/
37 krb5_keytab keytab,
38 krb5_kvno kvno,
41 krb5_data password,
44 {
46 krb5_kt_cursor cursor;
47 krb5_keytab_entry kt_entry;
57 DEBUG(1,("smb_krb5_kt_add_entry_ext: smb_krb5_parse_name(%s) failed (%s)\n", princ_s, error_message(ret)));
59 }
61 /* Seek and delete old keytab entries */
73 }
75 /*---------------------------------------------------------------------------
76 * Save the entries with kvno - 1. This is what microsoft does
77 * to allow people with existing sessions that have kvno - 1 to still
78 * work. Otherwise, when the password for the machine changes, all
79 * kerberizied sessions will 'break' until either the client reboots or
80 * the client's session key expires and they get a new session ticket
81 * with the new kvno.
82 */
84 #ifdef HAVE_KRB5_KT_COMPARE
86 #else
88 #endif
93 }
102 DEBUG(5,("smb_krb5_kt_add_entry_ext: Found old entry for principal: %s (kvno %d) - trying to remove it.\n",
110 }
116 }
126 }
133 }
135 }
136 }
138 /* Not a match, just free this entry and continue. */
142 DEBUG(1,("smb_krb5_kt_add_entry_ext: smb_krb5_kt_free_entry failed (%s)\n", error_message(ret)));
144 }
145 }
152 }
153 }
155 /* Ensure we don't double free. */
159 /* If we get here, we have deleted all the old entries with kvno's not equal to the current kvno-1. */
161 /* Now add keytab entries for all encryption types */
169 }
174 DEBUG(3,("smb_krb5_kt_add_entry_ext: adding keytab entry for (%s) with encryption type (%d) and version (%d)\n",
180 DEBUG(1,("smb_krb5_kt_add_entry_ext: adding entry to keytab failed (%s)\n", error_message(ret)));
182 }
183 }
186 out:
187 {
188 krb5_keytab_entry zero_kt_entry;
192 }
193 }
196 }
198 {
199 krb5_kt_cursor zero_csr;
203 }
204 }
207 }
210 krb5_keytab keytab,
211 krb5_kvno kvno,
214 krb5_data password)
215 {
217 keytab,
218 kvno,
219 princ_s,
220 enctypes,
221 password,
224 }
226 /**********************************************************************
227 Adds a single service principal, i.e. 'host' to the system keytab
228 ***********************************************************************/
231 {
235 krb5_data password;
236 krb5_kvno kvno;
244 #if defined(ENCTYPE_ARCFOUR_HMAC)
246 #endif
253 }
259 }
261 /* retrieve the password */
266 }
272 }
277 /* we need the dNSHostName value here */
283 }
289 }
295 }
296 /*strip the trailing '$' */
299 /* Construct our principal */
302 /* It's a fully-named principal. */
306 }
308 /* It's the machine account, as used by smbclient clients. */
312 }
314 /* It's a normal service principal. Add the SPN now so that we
315 * can obtain credentials for it and double-check the salt value
316 * used to generate the service's keys. */
321 }
325 }
327 /* According to http://support.microsoft.com/kb/326985/en-us,
328 certain principal names are automatically mapped to the host/...
329 principal in the AD account. So only create these in the
330 keytab, not in AD. --jerry */
338 }
339 }
340 }
344 DEBUG(1,("ads_keytab_add_entry: ads_get_machine_kvno failed to determine the system's kvno.\n"));
347 }
349 /* add the fqdn principal to the keytab */
355 }
357 /* add the short principal name if we have one */
364 }
365 }
367 out:
374 }
377 }
379 }
381 /**********************************************************************
382 Flushes all entries from the system keytab.
383 ***********************************************************************/
386 {
390 krb5_kt_cursor cursor;
391 krb5_keytab_entry kt_entry;
392 krb5_kvno kvno;
402 }
408 }
414 }
424 }
429 }
434 }
440 }
441 }
442 }
444 /* Ensure we don't double free. */
451 }
453 out:
455 {
456 krb5_keytab_entry zero_kt_entry;
460 }
461 }
462 {
463 krb5_kt_cursor zero_csr;
467 }
468 }
471 }
474 }
476 }
478 /**********************************************************************
479 Adds all the required service principals to the system keytab.
480 ***********************************************************************/
483 {
487 krb5_kt_cursor cursor;
488 krb5_keytab_entry kt_entry;
489 krb5_kvno kvno;
494 fstring machine_name;
500 /* these are the main ones we need */
505 }
509 really needs them and we will fall back to verifying against secrets.tdb */
514 }
515 #endif
520 }
522 /* now add the userPrincipalName and sAMAccountName entries */
528 }
530 /* upper case the sAMAccountName to make it easier for apps to
531 know what case to use in the keytab file */
536 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding sAMAccountName (%s)\n",
537 sam_account_name));
539 }
541 /* remember that not every machine account will have a upn */
547 upn));
550 }
551 }
553 /* Now loop through the keytab and update any other existing entries... */
557 DEBUG(1,("ads_keytab_create_default: ads_get_machine_kvno failed to determine the system's kvno.\n"));
560 }
574 }
580 }
587 found++;
588 }
589 }
593 /*
594 * Hmmm. There is no "rewind" function for the keytab. This means we have a race condition
595 * where someone else could add entries after we've counted them. Re-open asap to minimise
596 * the race. JRA.
597 */
602 }
605 DEBUG(1,("ads_keytab_create_default: Failed to allocate space to store the old keytab entries (malloc failed?).\n"));
608 }
618 /* This returns a malloc'ed string in ktprinc. */
623 }
624 /*
625 * From looking at the krb5 source they don't seem to take locale
626 * or mb strings into account. Maybe this is because they assume utf8 ?
627 * In this case we may need to convert from utf8 to mb charset here ? JRA.
628 */
632 }
637 }
642 }
646 }
647 }
650 }
651 }
654 }
659 }
661 }
664 done:
669 {
670 krb5_keytab_entry zero_kt_entry;
674 }
675 }
676 {
677 krb5_kt_cursor zero_csr;
681 }
682 }
685 }
688 }
690 }
692 /**********************************************************************
693 List system keytab.
694 ***********************************************************************/
697 {
701 krb5_kt_cursor cursor;
702 krb5_keytab_entry kt_entry;
712 }
718 }
723 }
736 }
743 {
746 }
747 }
757 }
758 }
763 }
765 /* Ensure we don't double free. */
768 out:
770 {
771 krb5_keytab_entry zero_kt_entry;
775 }
776 }
777 {
778 krb5_kt_cursor zero_csr;
782 }
783 }
787 }
790 }
792 }