search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
WHATSNEW: Add release notes for Samba 3.6.23.
[Samba.git] / source3 / libads / kerberos_keytab.c
blobbadce3e79e9abe46b37807624658b13205dc8d5d
1 /*
2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
12 Copyright (C) Gerald Carter 2006
13
14 This program is free software; you can redistribute it and/or modify
15 it under the terms of the GNU General Public License as published by
16 the Free Software Foundation; either version 3 of the License, or
17 (at your option) any later version.
18
19 This program is distributed in the hope that it will be useful,
20 but WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 GNU General Public License for more details.
23
24 You should have received a copy of the GNU General Public License
25 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 */
27
28 #include "includes.h"
29 #include "smb_krb5.h"
30 #include "ads.h"
31 #include "secrets.h"
32
33 #ifdef HAVE_KRB5
34
35 /**********************************************************************
36 **********************************************************************/
37
38 static krb5_error_code seek_and_delete_old_entries(krb5_context context,
39 krb5_keytab keytab,
40 krb5_kvno kvno,
41 const char *princ_s,
42 krb5_principal princ,
43 bool flush,
44 bool keep_old_entries)
45 {
46 krb5_error_code ret;
47 krb5_kt_cursor cursor;
48 krb5_kt_cursor zero_csr;
49 krb5_keytab_entry kt_entry;
50 krb5_keytab_entry zero_kt_entry;
51 char *ktprinc = NULL;
52
53 ZERO_STRUCT(cursor);
54 ZERO_STRUCT(zero_csr);
55 ZERO_STRUCT(kt_entry);
56 ZERO_STRUCT(zero_kt_entry);
57
58 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
59 if (ret == KRB5_KT_END || ret == ENOENT ) {
60 /* no entries */
61 return 0;
62 }
63
64 DEBUG(3, (__location__ ": Will try to delete old keytab entries\n"));
65 while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
66 bool name_ok = False;
67
68 if (!flush && (princ_s != NULL)) {
69 ret = smb_krb5_unparse_name(talloc_tos(), context,
70 kt_entry.principal,
71 &ktprinc);
72 if (ret) {
73 DEBUG(1, (__location__
74 ": smb_krb5_unparse_name failed "
75 "(%s)\n", error_message(ret)));
76 goto out;
77 }
78
79 #ifdef HAVE_KRB5_KT_COMPARE
80 name_ok = krb5_kt_compare(context, &kt_entry,
81 princ, 0, 0);
82 #else
83 name_ok = (strcmp(ktprinc, princ_s) == 0);
84 #endif
85
86 if (!name_ok) {
87 DEBUG(10, (__location__ ": ignoring keytab "
88 "entry principal %s, kvno = %d\n",
89 ktprinc, kt_entry.vno));
90
91 /* Not a match,
92 * just free this entry and continue. */
93 ret = smb_krb5_kt_free_entry(context,
94 &kt_entry);
95 ZERO_STRUCT(kt_entry);
96 if (ret) {
97 DEBUG(1, (__location__
98 ": smb_krb5_kt_free_entry "
99 "failed (%s)\n",
100 error_message(ret)));
101 goto out;
102 }
103
104 TALLOC_FREE(ktprinc);
105 continue;
106 }
107
108 TALLOC_FREE(ktprinc);
109 }
110
111 /*------------------------------------------------------------
112 * Save the entries with kvno - 1. This is what microsoft does
113 * to allow people with existing sessions that have kvno - 1
114 * to still work. Otherwise, when the password for the machine
115 * changes, all kerberizied sessions will 'break' until either
116 * the client reboots or the client's session key expires and
117 * they get a new session ticket with the new kvno.
118 */
119
120 if (!flush && (kt_entry.vno == kvno - 1)) {
121 DEBUG(5, (__location__ ": Saving previous (kvno %d) "
122 "entry for principal: %s.\n",
123 kvno - 1, princ_s));
124 continue;
125 }
126
127 if (keep_old_entries) {
128 DEBUG(5, (__location__ ": Saving old (kvno %d) "
129 "entry for principal: %s.\n",
130 kvno, princ_s));
131 continue;
132 }
133
134 DEBUG(5, (__location__ ": Found old entry for principal: %s "
135 "(kvno %d) - trying to remove it.\n",
136 princ_s, kt_entry.vno));
137
138 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
139 ZERO_STRUCT(cursor);
140 if (ret) {
141 DEBUG(1, (__location__ ": krb5_kt_end_seq_get() "
142 "failed (%s)\n", error_message(ret)));
143 goto out;
144 }
145 ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
146 if (ret) {
147 DEBUG(1, (__location__ ": krb5_kt_remove_entry() "
148 "failed (%s)\n", error_message(ret)));
149 goto out;
150 }
151
152 DEBUG(5, (__location__ ": removed old entry for principal: "
153 "%s (kvno %d).\n", princ_s, kt_entry.vno));
154
155 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
156 if (ret) {
157 DEBUG(1, (__location__ ": krb5_kt_start_seq() failed "
158 "(%s)\n", error_message(ret)));
159 goto out;
160 }
161 ret = smb_krb5_kt_free_entry(context, &kt_entry);
162 ZERO_STRUCT(kt_entry);
163 if (ret) {
164 DEBUG(1, (__location__ ": krb5_kt_remove_entry() "
165 "failed (%s)\n", error_message(ret)));
166 goto out;
167 }
168 }
169
170 out:
171 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
172 smb_krb5_kt_free_entry(context, &kt_entry);
173 }
174 if (keytab) {
175 if (memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) {
176 krb5_kt_end_seq_get(context, keytab, &cursor);
177 }
178 }
179
180 return ret;
181 }
182
183 static int smb_krb5_kt_add_entry(krb5_context context,
184 krb5_keytab keytab,
185 krb5_kvno kvno,
186 const char *princ_s,
187 krb5_enctype *enctypes,
188 krb5_data password,
189 bool no_salt,
190 bool keep_old_entries)
191 {
192 krb5_error_code ret;
193 krb5_keytab_entry kt_entry;
194 krb5_principal princ = NULL;
195 int i;
196
197 ZERO_STRUCT(kt_entry);
198
199 ret = smb_krb5_parse_name(context, princ_s, &princ);
200 if (ret) {
201 DEBUG(1, (__location__ ": smb_krb5_parse_name(%s) "
202 "failed (%s)\n", princ_s, error_message(ret)));
203 goto out;
204 }
205
206 /* Seek and delete old keytab entries */
207 ret = seek_and_delete_old_entries(context, keytab, kvno,
208 princ_s, princ, false,
209 keep_old_entries);
210 if (ret) {
211 goto out;
212 }
213
214 /* If we get here, we have deleted all the old entries with kvno's
215 * not equal to the current kvno-1. */
216
217 /* Now add keytab entries for all encryption types */
218 for (i = 0; enctypes[i]; i++) {
219 krb5_keyblock *keyp;
220
221 keyp = KRB5_KT_KEY(&kt_entry);
222
223 if (create_kerberos_key_from_string(context, princ,
224 &password, keyp,
225 enctypes[i], no_salt)) {
226 continue;
227 }
228
229 kt_entry.principal = princ;
230 kt_entry.vno = kvno;
231
232 DEBUG(3, (__location__ ": adding keytab entry for (%s) with "
233 "encryption type (%d) and version (%d)\n",
234 princ_s, enctypes[i], kt_entry.vno));
235 ret = krb5_kt_add_entry(context, keytab, &kt_entry);
236 krb5_free_keyblock_contents(context, keyp);
237 ZERO_STRUCT(kt_entry);
238 if (ret) {
239 DEBUG(1, (__location__ ": adding entry to keytab "
240 "failed (%s)\n", error_message(ret)));
241 goto out;
242 }
243 }
244
245 out:
246 if (princ) {
247 krb5_free_principal(context, princ);
248 }
249
250 return (int)ret;
251 }
252
253 /**********************************************************************
254 Adds a single service principal, i.e. 'host' to the system keytab
255 ***********************************************************************/
256
257 int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
258 {
259 krb5_error_code ret = 0;
260 krb5_context context = NULL;
261 krb5_keytab keytab = NULL;
262 krb5_data password;
263 krb5_kvno kvno;
264 krb5_enctype enctypes[6] = {
265 ENCTYPE_DES_CBC_CRC,
266 ENCTYPE_DES_CBC_MD5,
267 #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
268 ENCTYPE_AES128_CTS_HMAC_SHA1_96,
269 #endif
270 #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
271 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
272 #endif
273 ENCTYPE_ARCFOUR_HMAC,
274 0
275 };
276 char *princ_s = NULL;
277 char *short_princ_s = NULL;
278 char *password_s = NULL;
279 char *my_fqdn;
280 TALLOC_CTX *tmpctx = NULL;
281 char *machine_name;
282 ADS_STATUS aderr;
283
284 initialize_krb5_error_table();
285 ret = krb5_init_context(&context);
286 if (ret) {
287 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
288 error_message(ret)));
289 return -1;
290 }
291
292 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
293 if (ret) {
294 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
295 error_message(ret)));
296 goto out;
297 }
298
299 /* retrieve the password */
300 if (!secrets_init()) {
301 DEBUG(1, (__location__ ": secrets_init failed\n"));
302 ret = -1;
303 goto out;
304 }
305 password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
306 if (!password_s) {
307 DEBUG(1, (__location__ ": failed to fetch machine password\n"));
308 ret = -1;
309 goto out;
310 }
311 ZERO_STRUCT(password);
312 password.data = password_s;
313 password.length = strlen(password_s);
314
315 /* we need the dNSHostName value here */
316 tmpctx = talloc_init(__location__);
317 if (!tmpctx) {
318 DEBUG(0, (__location__ ": talloc_init() failed!\n"));
319 ret = -1;
320 goto out;
321 }
322
323 my_fqdn = ads_get_dnshostname(ads, tmpctx, global_myname());
324 if (!my_fqdn) {
325 DEBUG(0, (__location__ ": unable to determine machine "
326 "account's dns name in AD!\n"));
327 ret = -1;
328 goto out;
329 }
330
331 machine_name = ads_get_samaccountname(ads, tmpctx, global_myname());
332 if (!machine_name) {
333 DEBUG(0, (__location__ ": unable to determine machine "
334 "account's short name in AD!\n"));
335 ret = -1;
336 goto out;
337 }
338 /*strip the trailing '$' */
339 machine_name[strlen(machine_name)-1] = '\0';
340
341 /* Construct our principal */
342 if (strchr_m(srvPrinc, '@')) {
343 /* It's a fully-named principal. */
344 princ_s = talloc_asprintf(tmpctx, "%s", srvPrinc);
345 if (!princ_s) {
346 ret = -1;
347 goto out;
348 }
349 } else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
350 /* It's the machine account, as used by smbclient clients. */
351 princ_s = talloc_asprintf(tmpctx, "%s@%s",
352 srvPrinc, lp_realm());
353 if (!princ_s) {
354 ret = -1;
355 goto out;
356 }
357 } else {
358 /* It's a normal service principal. Add the SPN now so that we
359 * can obtain credentials for it and double-check the salt value
360 * used to generate the service's keys. */
361
362 princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
363 srvPrinc, my_fqdn, lp_realm());
364 if (!princ_s) {
365 ret = -1;
366 goto out;
367 }
368 short_princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
369 srvPrinc, machine_name,
370 lp_realm());
371 if (!princ_s) {
372 ret = -1;
373 goto out;
374 }
375
376 /* According to http://support.microsoft.com/kb/326985/en-us,
377 certain principal names are automatically mapped to the
378 host/... principal in the AD account.
379 So only create these in the keytab, not in AD. --jerry */
380
381 if (!strequal(srvPrinc, "cifs") &&
382 !strequal(srvPrinc, "host")) {
383 DEBUG(3, (__location__ ": Attempting to add/update "
384 "'%s'\n", princ_s));
385
386 aderr = ads_add_service_principal_name(ads,
387 global_myname(), my_fqdn, srvPrinc);
388 if (!ADS_ERR_OK(aderr)) {
389 DEBUG(1, (__location__ ": failed to "
390 "ads_add_service_principal_name.\n"));
391 goto out;
392 }
393 }
394 }
395
396 kvno = (krb5_kvno)ads_get_machine_kvno(ads, global_myname());
397 if (kvno == -1) {
398 /* -1 indicates failure, everything else is OK */
399 DEBUG(1, (__location__ ": ads_get_machine_kvno failed to "
400 "determine the system's kvno.\n"));
401 ret = -1;
402 goto out;
403 }
404
405 /* add the fqdn principal to the keytab */
406 ret = smb_krb5_kt_add_entry(context, keytab, kvno,
407 princ_s, enctypes, password,
408 false, false);
409 if (ret) {
410 DEBUG(1, (__location__ ": Failed to add entry to keytab\n"));
411 goto out;
412 }
413
414 /* add the short principal name if we have one */
415 if (short_princ_s) {
416 ret = smb_krb5_kt_add_entry(context, keytab, kvno,
417 short_princ_s, enctypes, password,
418 false, false);
419 if (ret) {
420 DEBUG(1, (__location__
421 ": Failed to add short entry to keytab\n"));
422 goto out;
423 }
424 }
425
426 out:
427 TALLOC_FREE(tmpctx);
428
429 if (keytab) {
430 krb5_kt_close(context, keytab);
431 }
432 if (context) {
433 krb5_free_context(context);
434 }
435 return (int)ret;
436 }
437
438 /**********************************************************************
439 Flushes all entries from the system keytab.
440 ***********************************************************************/
441
442 int ads_keytab_flush(ADS_STRUCT *ads)
443 {
444 krb5_error_code ret = 0;
445 krb5_context context = NULL;
446 krb5_keytab keytab = NULL;
447 krb5_kvno kvno;
448 ADS_STATUS aderr;
449
450 initialize_krb5_error_table();
451 ret = krb5_init_context(&context);
452 if (ret) {
453 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
454 error_message(ret)));
455 return ret;
456 }
457
458 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
459 if (ret) {
460 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
461 error_message(ret)));
462 goto out;
463 }
464
465 kvno = (krb5_kvno)ads_get_machine_kvno(ads, global_myname());
466 if (kvno == -1) {
467 /* -1 indicates a failure */
468 DEBUG(1, (__location__ ": Error determining the kvno.\n"));
469 goto out;
470 }
471
472 /* Seek and delete old keytab entries */
473 ret = seek_and_delete_old_entries(context, keytab, kvno,
474 NULL, NULL, true, false);
475 if (ret) {
476 goto out;
477 }
478
479 aderr = ads_clear_service_principal_names(ads, global_myname());
480 if (!ADS_ERR_OK(aderr)) {
481 DEBUG(1, (__location__ ": Error while clearing service "
482 "principal listings in LDAP.\n"));
483 goto out;
484 }
485
486 out:
487 if (keytab) {
488 krb5_kt_close(context, keytab);
489 }
490 if (context) {
491 krb5_free_context(context);
492 }
493 return ret;
494 }
495
496 /**********************************************************************
497 Adds all the required service principals to the system keytab.
498 ***********************************************************************/
499
500 int ads_keytab_create_default(ADS_STRUCT *ads)
501 {
502 krb5_error_code ret = 0;
503 krb5_context context = NULL;
504 krb5_keytab keytab = NULL;
505 krb5_kt_cursor cursor;
506 krb5_keytab_entry kt_entry;
507 krb5_kvno kvno;
508 int i, found = 0;
509 char *sam_account_name, *upn;
510 char **oldEntries = NULL, *princ_s[26];
511 TALLOC_CTX *tmpctx = NULL;
512 char *machine_name;
513
514 /* these are the main ones we need */
515 ret = ads_keytab_add_entry(ads, "host");
516 if (ret != 0) {
517 DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
518 "adding 'host' principal.\n"));
519 return ret;
520 }
521
522
523 #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
524 really needs them and we will fall back to verifying against
525 secrets.tdb */
526
527 ret = ads_keytab_add_entry(ads, "cifs"));
528 if (ret != 0 ) {
529 DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
530 "adding 'cifs'.\n"));
531 return ret;
532 }
533 #endif
534
535 memset(princ_s, '\0', sizeof(princ_s));
536 ZERO_STRUCT(kt_entry);
537 ZERO_STRUCT(cursor);
538
539 initialize_krb5_error_table();
540 ret = krb5_init_context(&context);
541 if (ret) {
542 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
543 error_message(ret)));
544 return ret;
545 }
546
547 tmpctx = talloc_init(__location__);
548 if (!tmpctx) {
549 DEBUG(0, (__location__ ": talloc_init() failed!\n"));
550 ret = -1;
551 goto done;
552 }
553
554 machine_name = talloc_strdup(tmpctx, global_myname());
555 if (!machine_name) {
556 ret = -1;
557 goto done;
558 }
559
560 /* now add the userPrincipalName and sAMAccountName entries */
561 sam_account_name = ads_get_samaccountname(ads, tmpctx, machine_name);
562 if (!sam_account_name) {
563 DEBUG(0, (__location__ ": unable to determine machine "
564 "account's name in AD!\n"));
565 ret = -1;
566 goto done;
567 }
568
569 /* upper case the sAMAccountName to make it easier for apps to
570 know what case to use in the keytab file */
571 strupper_m(sam_account_name);
572
573 ret = ads_keytab_add_entry(ads, sam_account_name);
574 if (ret != 0) {
575 DEBUG(1, (__location__ ": ads_keytab_add_entry() failed "
576 "while adding sAMAccountName (%s)\n",
577 sam_account_name));
578 goto done;
579 }
580
581 /* remember that not every machine account will have a upn */
582 upn = ads_get_upn(ads, tmpctx, machine_name);
583 if (upn) {
584 ret = ads_keytab_add_entry(ads, upn);
585 if (ret != 0) {
586 DEBUG(1, (__location__ ": ads_keytab_add_entry() "
587 "failed while adding UPN (%s)\n", upn));
588 goto done;
589 }
590 }
591
592 /* Now loop through the keytab and update any other existing entries */
593 kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
594 if (kvno == -1) {
595 DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
596 "determine the system's kvno.\n"));
597 goto done;
598 }
599
600 DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
601 "and update.\n"));
602
603 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
604 if (ret) {
605 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
606 error_message(ret)));
607 goto done;
608 }
609
610 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
611 if (ret != KRB5_KT_END && ret != ENOENT ) {
612 while ((ret = krb5_kt_next_entry(context, keytab,
613 &kt_entry, &cursor)) == 0) {
614 smb_krb5_kt_free_entry(context, &kt_entry);
615 ZERO_STRUCT(kt_entry);
616 found++;
617 }
618 }
619 krb5_kt_end_seq_get(context, keytab, &cursor);
620 ZERO_STRUCT(cursor);
621
622 /*
623 * Hmmm. There is no "rewind" function for the keytab. This means we
624 * have a race condition where someone else could add entries after
625 * we've counted them. Re-open asap to minimise the race. JRA.
626 */
627 DEBUG(3, (__location__ ": Found %d entries in the keytab.\n", found));
628 if (!found) {
629 goto done;
630 }
631
632 oldEntries = talloc_array(tmpctx, char *, found);
633 if (!oldEntries) {
634 DEBUG(1, (__location__ ": Failed to allocate space to store "
635 "the old keytab entries (talloc failed?).\n"));
636 ret = -1;
637 goto done;
638 }
639 memset(oldEntries, '\0', found * sizeof(char *));
640
641 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
642 if (ret == KRB5_KT_END || ret == ENOENT) {
643 krb5_kt_end_seq_get(context, keytab, &cursor);
644 ZERO_STRUCT(cursor);
645 goto done;
646 }
647
648 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
649 if (kt_entry.vno != kvno) {
650 char *ktprinc = NULL;
651 char *p;
652
653 /* This returns a malloc'ed string in ktprinc. */
654 ret = smb_krb5_unparse_name(oldEntries, context,
655 kt_entry.principal,
656 &ktprinc);
657 if (ret) {
658 DEBUG(1, (__location__
659 ": smb_krb5_unparse_name failed "
660 "(%s)\n", error_message(ret)));
661 goto done;
662 }
663 /*
664 * From looking at the krb5 source they don't seem to
665 * take locale or mb strings into account.
666 * Maybe this is because they assume utf8 ?
667 * In this case we may need to convert from utf8 to
668 * mb charset here ? JRA.
669 */
670 p = strchr_m(ktprinc, '@');
671 if (p) {
672 *p = '\0';
673 }
674
675 p = strchr_m(ktprinc, '/');
676 if (p) {
677 *p = '\0';
678 }
679 for (i = 0; i < found; i++) {
680 if (!oldEntries[i]) {
681 oldEntries[i] = ktprinc;
682 break;
683 }
684 if (!strcmp(oldEntries[i], ktprinc)) {
685 TALLOC_FREE(ktprinc);
686 break;
687 }
688 }
689 if (i == found) {
690 TALLOC_FREE(ktprinc);
691 }
692 }
693 smb_krb5_kt_free_entry(context, &kt_entry);
694 ZERO_STRUCT(kt_entry);
695 }
696 ret = 0;
697 for (i = 0; oldEntries[i]; i++) {
698 ret |= ads_keytab_add_entry(ads, oldEntries[i]);
699 TALLOC_FREE(oldEntries[i]);
700 }
701 krb5_kt_end_seq_get(context, keytab, &cursor);
702 ZERO_STRUCT(cursor);
703
704 done:
705 TALLOC_FREE(oldEntries);
706 TALLOC_FREE(tmpctx);
707
708 {
709 krb5_keytab_entry zero_kt_entry;
710 ZERO_STRUCT(zero_kt_entry);
711 if (memcmp(&zero_kt_entry, &kt_entry,
712 sizeof(krb5_keytab_entry))) {
713 smb_krb5_kt_free_entry(context, &kt_entry);
714 }
715 }
716 {
717 krb5_kt_cursor zero_csr;
718 ZERO_STRUCT(zero_csr);
719 if ((memcmp(&cursor, &zero_csr,
720 sizeof(krb5_kt_cursor)) != 0) && keytab) {
721 krb5_kt_end_seq_get(context, keytab, &cursor);
722 }
723 }
724 if (keytab) {
725 krb5_kt_close(context, keytab);
726 }
727 if (context) {
728 krb5_free_context(context);
729 }
730 return ret;
731 }
732
733 /**********************************************************************
734 List system keytab.
735 ***********************************************************************/
736
737 int ads_keytab_list(const char *keytab_name)
738 {
739 krb5_error_code ret = 0;
740 krb5_context context = NULL;
741 krb5_keytab keytab = NULL;
742 krb5_kt_cursor cursor;
743 krb5_keytab_entry kt_entry;
744
745 ZERO_STRUCT(kt_entry);
746 ZERO_STRUCT(cursor);
747
748 initialize_krb5_error_table();
749 ret = krb5_init_context(&context);
750 if (ret) {
751 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
752 error_message(ret)));
753 return ret;
754 }
755
756 ret = smb_krb5_open_keytab(context, keytab_name, False, &keytab);
757 if (ret) {
758 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
759 error_message(ret)));
760 goto out;
761 }
762
763 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
764 if (ret) {
765 ZERO_STRUCT(cursor);
766 goto out;
767 }
768
769 printf("Vno Type Principal\n");
770
771 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
772
773 char *princ_s = NULL;
774 char *etype_s = NULL;
775 krb5_enctype enctype = 0;
776
777 ret = smb_krb5_unparse_name(talloc_tos(), context,
778 kt_entry.principal, &princ_s);
779 if (ret) {
780 goto out;
781 }
782
783 enctype = smb_get_enctype_from_kt_entry(&kt_entry);
784
785 ret = smb_krb5_enctype_to_string(context, enctype, &etype_s);
786 if (ret &&
787 (asprintf(&etype_s, "UNKNOWN: %d\n", enctype) == -1)) {
788 TALLOC_FREE(princ_s);
789 goto out;
790 }
791
792 printf("%3d %s\t\t %s\n", kt_entry.vno, etype_s, princ_s);
793
794 TALLOC_FREE(princ_s);
795 SAFE_FREE(etype_s);
796
797 ret = smb_krb5_kt_free_entry(context, &kt_entry);
798 if (ret) {
799 goto out;
800 }
801 }
802
803 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
804 if (ret) {
805 goto out;
806 }
807
808 /* Ensure we don't double free. */
809 ZERO_STRUCT(kt_entry);
810 ZERO_STRUCT(cursor);
811 out:
812
813 {
814 krb5_keytab_entry zero_kt_entry;
815 ZERO_STRUCT(zero_kt_entry);
816 if (memcmp(&zero_kt_entry, &kt_entry,
817 sizeof(krb5_keytab_entry))) {
818 smb_krb5_kt_free_entry(context, &kt_entry);
819 }
820 }
821 {
822 krb5_kt_cursor zero_csr;
823 ZERO_STRUCT(zero_csr);
824 if ((memcmp(&cursor, &zero_csr,
825 sizeof(krb5_kt_cursor)) != 0) && keytab) {
826 krb5_kt_end_seq_get(context, keytab, &cursor);
827 }
828 }
829
830 if (keytab) {
831 krb5_kt_close(context, keytab);
832 }
833 if (context) {
834 krb5_free_context(context);
835 }
836 return ret;
837 }
838
839 #endif /* HAVE_KRB5 */
Samba GIT mirror