smbd: Remove unused blocking_lock_record* from VFS_BRL_CANCEL_WINDOWS
[Samba.git] / source3 / libads / kerberos_keytab.c
blob6a1ba75ac01b3c9055ca266506f38514ea7b7315
1 /*
2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
12 Copyright (C) Gerald Carter 2006
14 This program is free software; you can redistribute it and/or modify
15 it under the terms of the GNU General Public License as published by
16 the Free Software Foundation; either version 3 of the License, or
17 (at your option) any later version.
19 This program is distributed in the hope that it will be useful,
20 but WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 GNU General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #include "includes.h"
29 #include "smb_krb5.h"
30 #include "ads.h"
31 #include "secrets.h"
33 #ifdef HAVE_KRB5
35 /**********************************************************************
36 **********************************************************************/
38 static krb5_error_code seek_and_delete_old_entries(krb5_context context,
39 krb5_keytab keytab,
40 krb5_kvno kvno,
41 const char *princ_s,
42 krb5_principal princ,
43 bool flush,
44 bool keep_old_entries)
46 krb5_error_code ret;
47 krb5_kt_cursor cursor;
48 krb5_kt_cursor zero_csr;
49 krb5_keytab_entry kt_entry;
50 krb5_keytab_entry zero_kt_entry;
51 char *ktprinc = NULL;
52 krb5_kvno old_kvno = kvno - 1;
54 ZERO_STRUCT(cursor);
55 ZERO_STRUCT(zero_csr);
56 ZERO_STRUCT(kt_entry);
57 ZERO_STRUCT(zero_kt_entry);
59 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
60 if (ret == KRB5_KT_END || ret == ENOENT ) {
61 /* no entries */
62 return 0;
65 DEBUG(3, (__location__ ": Will try to delete old keytab entries\n"));
66 while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
67 bool name_ok = False;
69 if (!flush && (princ_s != NULL)) {
70 ret = smb_krb5_unparse_name(talloc_tos(), context,
71 kt_entry.principal,
72 &ktprinc);
73 if (ret) {
74 DEBUG(1, (__location__
75 ": smb_krb5_unparse_name failed "
76 "(%s)\n", error_message(ret)));
77 goto out;
80 #ifdef HAVE_KRB5_KT_COMPARE
81 name_ok = krb5_kt_compare(context, &kt_entry,
82 princ, 0, 0);
83 #else
84 name_ok = (strcmp(ktprinc, princ_s) == 0);
85 #endif
87 if (!name_ok) {
88 DEBUG(10, (__location__ ": ignoring keytab "
89 "entry principal %s, kvno = %d\n",
90 ktprinc, kt_entry.vno));
92 /* Not a match,
93 * just free this entry and continue. */
94 ret = smb_krb5_kt_free_entry(context,
95 &kt_entry);
96 ZERO_STRUCT(kt_entry);
97 if (ret) {
98 DEBUG(1, (__location__
99 ": smb_krb5_kt_free_entry "
100 "failed (%s)\n",
101 error_message(ret)));
102 goto out;
105 TALLOC_FREE(ktprinc);
106 continue;
109 TALLOC_FREE(ktprinc);
112 /*------------------------------------------------------------
113 * Save the entries with kvno - 1. This is what microsoft does
114 * to allow people with existing sessions that have kvno - 1
115 * to still work. Otherwise, when the password for the machine
116 * changes, all kerberizied sessions will 'break' until either
117 * the client reboots or the client's session key expires and
118 * they get a new session ticket with the new kvno.
119 * Some keytab files only store the kvno in 8bits, limit
120 * the compare accordingly.
123 if (!flush && ((kt_entry.vno & 0xff) == (old_kvno & 0xff))) {
124 DEBUG(5, (__location__ ": Saving previous (kvno %d) "
125 "entry for principal: %s.\n",
126 old_kvno, princ_s));
127 continue;
130 if (keep_old_entries) {
131 DEBUG(5, (__location__ ": Saving old (kvno %d) "
132 "entry for principal: %s.\n",
133 kvno, princ_s));
134 continue;
137 DEBUG(5, (__location__ ": Found old entry for principal: %s "
138 "(kvno %d) - trying to remove it.\n",
139 princ_s, kt_entry.vno));
141 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
142 ZERO_STRUCT(cursor);
143 if (ret) {
144 DEBUG(1, (__location__ ": krb5_kt_end_seq_get() "
145 "failed (%s)\n", error_message(ret)));
146 goto out;
148 ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
149 if (ret) {
150 DEBUG(1, (__location__ ": krb5_kt_remove_entry() "
151 "failed (%s)\n", error_message(ret)));
152 goto out;
155 DEBUG(5, (__location__ ": removed old entry for principal: "
156 "%s (kvno %d).\n", princ_s, kt_entry.vno));
158 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
159 if (ret) {
160 DEBUG(1, (__location__ ": krb5_kt_start_seq() failed "
161 "(%s)\n", error_message(ret)));
162 goto out;
164 ret = smb_krb5_kt_free_entry(context, &kt_entry);
165 ZERO_STRUCT(kt_entry);
166 if (ret) {
167 DEBUG(1, (__location__ ": krb5_kt_remove_entry() "
168 "failed (%s)\n", error_message(ret)));
169 goto out;
173 out:
174 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
175 smb_krb5_kt_free_entry(context, &kt_entry);
177 if (keytab) {
178 if (memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) {
179 krb5_kt_end_seq_get(context, keytab, &cursor);
183 return ret;
186 static int smb_krb5_kt_add_entry(krb5_context context,
187 krb5_keytab keytab,
188 krb5_kvno kvno,
189 const char *princ_s,
190 krb5_enctype *enctypes,
191 krb5_data password,
192 bool no_salt,
193 bool keep_old_entries)
195 krb5_error_code ret;
196 krb5_keytab_entry kt_entry;
197 krb5_principal princ = NULL;
198 int i;
200 ZERO_STRUCT(kt_entry);
202 ret = smb_krb5_parse_name(context, princ_s, &princ);
203 if (ret) {
204 DEBUG(1, (__location__ ": smb_krb5_parse_name(%s) "
205 "failed (%s)\n", princ_s, error_message(ret)));
206 goto out;
209 /* Seek and delete old keytab entries */
210 ret = seek_and_delete_old_entries(context, keytab, kvno,
211 princ_s, princ, false,
212 keep_old_entries);
213 if (ret) {
214 goto out;
217 /* If we get here, we have deleted all the old entries with kvno's
218 * not equal to the current kvno-1. */
220 /* Now add keytab entries for all encryption types */
221 for (i = 0; enctypes[i]; i++) {
222 krb5_keyblock *keyp;
224 keyp = KRB5_KT_KEY(&kt_entry);
226 if (create_kerberos_key_from_string(context, princ,
227 &password, keyp,
228 enctypes[i], no_salt)) {
229 continue;
232 kt_entry.principal = princ;
233 kt_entry.vno = kvno;
235 DEBUG(3, (__location__ ": adding keytab entry for (%s) with "
236 "encryption type (%d) and version (%d)\n",
237 princ_s, enctypes[i], kt_entry.vno));
238 ret = krb5_kt_add_entry(context, keytab, &kt_entry);
239 krb5_free_keyblock_contents(context, keyp);
240 ZERO_STRUCT(kt_entry);
241 if (ret) {
242 DEBUG(1, (__location__ ": adding entry to keytab "
243 "failed (%s)\n", error_message(ret)));
244 goto out;
248 out:
249 if (princ) {
250 krb5_free_principal(context, princ);
253 return (int)ret;
256 #ifdef HAVE_ADS
258 /**********************************************************************
259 Adds a single service principal, i.e. 'host' to the system keytab
260 ***********************************************************************/
262 int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
264 krb5_error_code ret = 0;
265 krb5_context context = NULL;
266 krb5_keytab keytab = NULL;
267 krb5_data password;
268 krb5_kvno kvno;
269 krb5_enctype enctypes[6] = {
270 ENCTYPE_DES_CBC_CRC,
271 ENCTYPE_DES_CBC_MD5,
272 #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
273 ENCTYPE_AES128_CTS_HMAC_SHA1_96,
274 #endif
275 #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
276 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
277 #endif
278 ENCTYPE_ARCFOUR_HMAC,
281 char *princ_s = NULL;
282 char *short_princ_s = NULL;
283 char *password_s = NULL;
284 char *my_fqdn;
285 TALLOC_CTX *tmpctx = NULL;
286 char *machine_name;
287 ADS_STATUS aderr;
289 initialize_krb5_error_table();
290 ret = krb5_init_context(&context);
291 if (ret) {
292 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
293 error_message(ret)));
294 return -1;
297 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
298 if (ret) {
299 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
300 error_message(ret)));
301 goto out;
304 /* retrieve the password */
305 if (!secrets_init()) {
306 DEBUG(1, (__location__ ": secrets_init failed\n"));
307 ret = -1;
308 goto out;
310 password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
311 if (!password_s) {
312 DEBUG(1, (__location__ ": failed to fetch machine password\n"));
313 ret = -1;
314 goto out;
316 ZERO_STRUCT(password);
317 password.data = password_s;
318 password.length = strlen(password_s);
320 /* we need the dNSHostName value here */
321 tmpctx = talloc_init(__location__);
322 if (!tmpctx) {
323 DEBUG(0, (__location__ ": talloc_init() failed!\n"));
324 ret = -1;
325 goto out;
328 my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
329 if (!my_fqdn) {
330 DEBUG(0, (__location__ ": unable to determine machine "
331 "account's dns name in AD!\n"));
332 ret = -1;
333 goto out;
336 machine_name = ads_get_samaccountname(ads, tmpctx, lp_netbios_name());
337 if (!machine_name) {
338 DEBUG(0, (__location__ ": unable to determine machine "
339 "account's short name in AD!\n"));
340 ret = -1;
341 goto out;
343 /*strip the trailing '$' */
344 machine_name[strlen(machine_name)-1] = '\0';
346 /* Construct our principal */
347 if (strchr_m(srvPrinc, '@')) {
348 /* It's a fully-named principal. */
349 princ_s = talloc_asprintf(tmpctx, "%s", srvPrinc);
350 if (!princ_s) {
351 ret = -1;
352 goto out;
354 } else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
355 /* It's the machine account, as used by smbclient clients. */
356 princ_s = talloc_asprintf(tmpctx, "%s@%s",
357 srvPrinc, lp_realm());
358 if (!princ_s) {
359 ret = -1;
360 goto out;
362 } else {
363 /* It's a normal service principal. Add the SPN now so that we
364 * can obtain credentials for it and double-check the salt value
365 * used to generate the service's keys. */
367 princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
368 srvPrinc, my_fqdn, lp_realm());
369 if (!princ_s) {
370 ret = -1;
371 goto out;
373 short_princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
374 srvPrinc, machine_name,
375 lp_realm());
376 if (short_princ_s == NULL) {
377 ret = -1;
378 goto out;
381 /* According to http://support.microsoft.com/kb/326985/en-us,
382 certain principal names are automatically mapped to the
383 host/... principal in the AD account.
384 So only create these in the keytab, not in AD. --jerry */
386 if (!strequal(srvPrinc, "cifs") &&
387 !strequal(srvPrinc, "host")) {
388 DEBUG(3, (__location__ ": Attempting to add/update "
389 "'%s'\n", princ_s));
391 aderr = ads_add_service_principal_name(ads,
392 lp_netbios_name(), my_fqdn, srvPrinc);
393 if (!ADS_ERR_OK(aderr)) {
394 DEBUG(1, (__location__ ": failed to "
395 "ads_add_service_principal_name.\n"));
396 goto out;
401 kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
402 if (kvno == -1) {
403 /* -1 indicates failure, everything else is OK */
404 DEBUG(1, (__location__ ": ads_get_machine_kvno failed to "
405 "determine the system's kvno.\n"));
406 ret = -1;
407 goto out;
410 /* add the fqdn principal to the keytab */
411 ret = smb_krb5_kt_add_entry(context, keytab, kvno,
412 princ_s, enctypes, password,
413 false, false);
414 if (ret) {
415 DEBUG(1, (__location__ ": Failed to add entry to keytab\n"));
416 goto out;
419 /* add the short principal name if we have one */
420 if (short_princ_s) {
421 ret = smb_krb5_kt_add_entry(context, keytab, kvno,
422 short_princ_s, enctypes, password,
423 false, false);
424 if (ret) {
425 DEBUG(1, (__location__
426 ": Failed to add short entry to keytab\n"));
427 goto out;
431 out:
432 TALLOC_FREE(tmpctx);
434 if (keytab) {
435 krb5_kt_close(context, keytab);
437 if (context) {
438 krb5_free_context(context);
440 return (int)ret;
443 /**********************************************************************
444 Flushes all entries from the system keytab.
445 ***********************************************************************/
447 int ads_keytab_flush(ADS_STRUCT *ads)
449 krb5_error_code ret = 0;
450 krb5_context context = NULL;
451 krb5_keytab keytab = NULL;
452 krb5_kvno kvno;
453 ADS_STATUS aderr;
455 initialize_krb5_error_table();
456 ret = krb5_init_context(&context);
457 if (ret) {
458 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
459 error_message(ret)));
460 return ret;
463 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
464 if (ret) {
465 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
466 error_message(ret)));
467 goto out;
470 kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
471 if (kvno == -1) {
472 /* -1 indicates a failure */
473 DEBUG(1, (__location__ ": Error determining the kvno.\n"));
474 goto out;
477 /* Seek and delete old keytab entries */
478 ret = seek_and_delete_old_entries(context, keytab, kvno,
479 NULL, NULL, true, false);
480 if (ret) {
481 goto out;
484 aderr = ads_clear_service_principal_names(ads, lp_netbios_name());
485 if (!ADS_ERR_OK(aderr)) {
486 DEBUG(1, (__location__ ": Error while clearing service "
487 "principal listings in LDAP.\n"));
488 goto out;
491 out:
492 if (keytab) {
493 krb5_kt_close(context, keytab);
495 if (context) {
496 krb5_free_context(context);
498 return ret;
501 /**********************************************************************
502 Adds all the required service principals to the system keytab.
503 ***********************************************************************/
505 int ads_keytab_create_default(ADS_STRUCT *ads)
507 krb5_error_code ret = 0;
508 krb5_context context = NULL;
509 krb5_keytab keytab = NULL;
510 krb5_kt_cursor cursor;
511 krb5_keytab_entry kt_entry;
512 krb5_kvno kvno;
513 int i, found = 0;
514 char *sam_account_name, *upn;
515 char **oldEntries = NULL, *princ_s[26];
516 TALLOC_CTX *tmpctx = NULL;
517 char *machine_name;
519 /* these are the main ones we need */
520 ret = ads_keytab_add_entry(ads, "host");
521 if (ret != 0) {
522 DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
523 "adding 'host' principal.\n"));
524 return ret;
528 #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
529 really needs them and we will fall back to verifying against
530 secrets.tdb */
532 ret = ads_keytab_add_entry(ads, "cifs"));
533 if (ret != 0 ) {
534 DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
535 "adding 'cifs'.\n"));
536 return ret;
538 #endif
540 memset(princ_s, '\0', sizeof(princ_s));
541 ZERO_STRUCT(kt_entry);
542 ZERO_STRUCT(cursor);
544 initialize_krb5_error_table();
545 ret = krb5_init_context(&context);
546 if (ret) {
547 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
548 error_message(ret)));
549 return ret;
552 tmpctx = talloc_init(__location__);
553 if (!tmpctx) {
554 DEBUG(0, (__location__ ": talloc_init() failed!\n"));
555 ret = -1;
556 goto done;
559 machine_name = talloc_strdup(tmpctx, lp_netbios_name());
560 if (!machine_name) {
561 ret = -1;
562 goto done;
565 /* now add the userPrincipalName and sAMAccountName entries */
566 sam_account_name = ads_get_samaccountname(ads, tmpctx, machine_name);
567 if (!sam_account_name) {
568 DEBUG(0, (__location__ ": unable to determine machine "
569 "account's name in AD!\n"));
570 ret = -1;
571 goto done;
574 /* upper case the sAMAccountName to make it easier for apps to
575 know what case to use in the keytab file */
576 if (!strupper_m(sam_account_name)) {
577 ret = -1;
578 goto done;
581 ret = ads_keytab_add_entry(ads, sam_account_name);
582 if (ret != 0) {
583 DEBUG(1, (__location__ ": ads_keytab_add_entry() failed "
584 "while adding sAMAccountName (%s)\n",
585 sam_account_name));
586 goto done;
589 /* remember that not every machine account will have a upn */
590 upn = ads_get_upn(ads, tmpctx, machine_name);
591 if (upn) {
592 ret = ads_keytab_add_entry(ads, upn);
593 if (ret != 0) {
594 DEBUG(1, (__location__ ": ads_keytab_add_entry() "
595 "failed while adding UPN (%s)\n", upn));
596 goto done;
600 /* Now loop through the keytab and update any other existing entries */
601 kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
602 if (kvno == -1) {
603 DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
604 "determine the system's kvno.\n"));
605 goto done;
608 DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
609 "and update.\n"));
611 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
612 if (ret) {
613 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
614 error_message(ret)));
615 goto done;
618 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
619 if (ret != KRB5_KT_END && ret != ENOENT ) {
620 while ((ret = krb5_kt_next_entry(context, keytab,
621 &kt_entry, &cursor)) == 0) {
622 smb_krb5_kt_free_entry(context, &kt_entry);
623 ZERO_STRUCT(kt_entry);
624 found++;
627 krb5_kt_end_seq_get(context, keytab, &cursor);
628 ZERO_STRUCT(cursor);
631 * Hmmm. There is no "rewind" function for the keytab. This means we
632 * have a race condition where someone else could add entries after
633 * we've counted them. Re-open asap to minimise the race. JRA.
635 DEBUG(3, (__location__ ": Found %d entries in the keytab.\n", found));
636 if (!found) {
637 goto done;
640 oldEntries = talloc_array(tmpctx, char *, found);
641 if (!oldEntries) {
642 DEBUG(1, (__location__ ": Failed to allocate space to store "
643 "the old keytab entries (talloc failed?).\n"));
644 ret = -1;
645 goto done;
647 memset(oldEntries, '\0', found * sizeof(char *));
649 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
650 if (ret == KRB5_KT_END || ret == ENOENT) {
651 krb5_kt_end_seq_get(context, keytab, &cursor);
652 ZERO_STRUCT(cursor);
653 goto done;
656 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
657 if (kt_entry.vno != kvno) {
658 char *ktprinc = NULL;
659 char *p;
661 /* This returns a malloc'ed string in ktprinc. */
662 ret = smb_krb5_unparse_name(oldEntries, context,
663 kt_entry.principal,
664 &ktprinc);
665 if (ret) {
666 DEBUG(1, (__location__
667 ": smb_krb5_unparse_name failed "
668 "(%s)\n", error_message(ret)));
669 goto done;
672 * From looking at the krb5 source they don't seem to
673 * take locale or mb strings into account.
674 * Maybe this is because they assume utf8 ?
675 * In this case we may need to convert from utf8 to
676 * mb charset here ? JRA.
678 p = strchr_m(ktprinc, '@');
679 if (p) {
680 *p = '\0';
683 p = strchr_m(ktprinc, '/');
684 if (p) {
685 *p = '\0';
687 for (i = 0; i < found; i++) {
688 if (!oldEntries[i]) {
689 oldEntries[i] = ktprinc;
690 break;
692 if (!strcmp(oldEntries[i], ktprinc)) {
693 TALLOC_FREE(ktprinc);
694 break;
697 if (i == found) {
698 TALLOC_FREE(ktprinc);
701 smb_krb5_kt_free_entry(context, &kt_entry);
702 ZERO_STRUCT(kt_entry);
704 ret = 0;
705 for (i = 0; oldEntries[i]; i++) {
706 ret |= ads_keytab_add_entry(ads, oldEntries[i]);
707 TALLOC_FREE(oldEntries[i]);
709 krb5_kt_end_seq_get(context, keytab, &cursor);
710 ZERO_STRUCT(cursor);
712 done:
713 TALLOC_FREE(oldEntries);
714 TALLOC_FREE(tmpctx);
717 krb5_keytab_entry zero_kt_entry;
718 ZERO_STRUCT(zero_kt_entry);
719 if (memcmp(&zero_kt_entry, &kt_entry,
720 sizeof(krb5_keytab_entry))) {
721 smb_krb5_kt_free_entry(context, &kt_entry);
725 krb5_kt_cursor zero_csr;
726 ZERO_STRUCT(zero_csr);
727 if ((memcmp(&cursor, &zero_csr,
728 sizeof(krb5_kt_cursor)) != 0) && keytab) {
729 krb5_kt_end_seq_get(context, keytab, &cursor);
732 if (keytab) {
733 krb5_kt_close(context, keytab);
735 if (context) {
736 krb5_free_context(context);
738 return ret;
741 #endif /* HAVE_ADS */
743 /**********************************************************************
744 List system keytab.
745 ***********************************************************************/
747 int ads_keytab_list(const char *keytab_name)
749 krb5_error_code ret = 0;
750 krb5_context context = NULL;
751 krb5_keytab keytab = NULL;
752 krb5_kt_cursor cursor;
753 krb5_keytab_entry kt_entry;
755 ZERO_STRUCT(kt_entry);
756 ZERO_STRUCT(cursor);
758 initialize_krb5_error_table();
759 ret = krb5_init_context(&context);
760 if (ret) {
761 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
762 error_message(ret)));
763 return ret;
766 ret = smb_krb5_open_keytab(context, keytab_name, False, &keytab);
767 if (ret) {
768 DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
769 error_message(ret)));
770 goto out;
773 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
774 if (ret) {
775 ZERO_STRUCT(cursor);
776 goto out;
779 printf("Vno Type Principal\n");
781 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
783 char *princ_s = NULL;
784 char *etype_s = NULL;
785 krb5_enctype enctype = 0;
787 ret = smb_krb5_unparse_name(talloc_tos(), context,
788 kt_entry.principal, &princ_s);
789 if (ret) {
790 goto out;
793 enctype = smb_get_enctype_from_kt_entry(&kt_entry);
795 ret = smb_krb5_enctype_to_string(context, enctype, &etype_s);
796 if (ret &&
797 (asprintf(&etype_s, "UNKNOWN: %d\n", enctype) == -1)) {
798 TALLOC_FREE(princ_s);
799 goto out;
802 printf("%3d %-43s %s\n", kt_entry.vno, etype_s, princ_s);
804 TALLOC_FREE(princ_s);
805 SAFE_FREE(etype_s);
807 ret = smb_krb5_kt_free_entry(context, &kt_entry);
808 if (ret) {
809 goto out;
813 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
814 if (ret) {
815 goto out;
818 /* Ensure we don't double free. */
819 ZERO_STRUCT(kt_entry);
820 ZERO_STRUCT(cursor);
821 out:
824 krb5_keytab_entry zero_kt_entry;
825 ZERO_STRUCT(zero_kt_entry);
826 if (memcmp(&zero_kt_entry, &kt_entry,
827 sizeof(krb5_keytab_entry))) {
828 smb_krb5_kt_free_entry(context, &kt_entry);
832 krb5_kt_cursor zero_csr;
833 ZERO_STRUCT(zero_csr);
834 if ((memcmp(&cursor, &zero_csr,
835 sizeof(krb5_kt_cursor)) != 0) && keytab) {
836 krb5_kt_end_seq_get(context, keytab, &cursor);
840 if (keytab) {
841 krb5_kt_close(context, keytab);
843 if (context) {
844 krb5_free_context(context);
846 return ret;
849 #endif /* HAVE_KRB5 */