2 Unix SMB/CIFS implementation.
4 Kerberos utility functions
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "system/kerberos.h"
26 #include "auth/credentials/credentials.h"
27 #include "auth/kerberos/kerberos.h"
28 #include "auth/kerberos/kerberos_util.h"
29 #include "auth/kerberos/kerberos_srv_keytab.h"
31 static void keytab_principals_free(krb5_context context
,
32 uint32_t num_principals
,
37 for (i
= 0; i
< num_principals
; i
++) {
38 krb5_free_principal(context
, set
[i
]);
42 static krb5_error_code
salt_principal(TALLOC_CTX
*parent_ctx
,
43 const char *samAccountName
,
45 const char *saltPrincipal
,
47 krb5_principal
*salt_princ
,
48 const char **error_string
)
52 char *machine_username
;
60 ret
= krb5_parse_name(context
, saltPrincipal
, salt_princ
);
62 *error_string
= smb_get_krb5_error_message(
63 context
, ret
, parent_ctx
);
68 if (!samAccountName
) {
69 (*error_string
) = "Cannot determine salt principal, no "
70 "saltPrincipal or samAccountName specified";
75 *error_string
= "Cannot make principal without a realm";
79 tmp_ctx
= talloc_new(parent_ctx
);
81 *error_string
= "Cannot allocate tmp_ctx";
85 machine_username
= strlower_talloc(tmp_ctx
, samAccountName
);
86 if (!machine_username
) {
87 *error_string
= "Cannot duplicate samAccountName";
92 if (machine_username
[strlen(machine_username
)-1] == '$') {
93 machine_username
[strlen(machine_username
)-1] = '\0';
96 lower_realm
= strlower_talloc(tmp_ctx
, realm
);
98 *error_string
= "Cannot allocate to lower case realm";
103 upper_realm
= strupper_talloc(tmp_ctx
, realm
);
105 *error_string
= "Cannot allocate to upper case realm";
106 talloc_free(tmp_ctx
);
110 salt_body
= talloc_asprintf(tmp_ctx
, "%s.%s",
111 machine_username
, lower_realm
);
113 *error_string
= "Cannot form salt principal body";
114 talloc_free(tmp_ctx
);
118 ret
= smb_krb5_make_principal(context
, salt_princ
, upper_realm
,
119 "host", salt_body
, NULL
);
121 *error_string
= smb_get_krb5_error_message(context
,
125 talloc_free(tmp_ctx
);
129 static krb5_error_code
keytab_add_keys(TALLOC_CTX
*parent_ctx
,
130 uint32_t num_principals
,
131 krb5_principal
*principals
,
132 krb5_principal salt_princ
,
134 const char *password_s
,
135 krb5_context context
,
136 krb5_enctype
*enctypes
,
138 const char **error_string
)
145 password
.data
= discard_const_p(char, password_s
);
146 password
.length
= strlen(password_s
);
148 for (i
= 0; enctypes
[i
]; i
++) {
149 krb5_keytab_entry entry
;
153 ret
= smb_krb5_create_key_from_string(context
,
158 KRB5_KT_KEY(&entry
));
165 for (p
= 0; p
< num_principals
; p
++) {
167 entry
.principal
= principals
[p
];
168 ret
= krb5_kt_add_entry(context
, keytab
, &entry
);
170 char *k5_error_string
=
171 smb_get_krb5_error_message(context
,
173 krb5_unparse_name(context
,
174 principals
[p
], &unparsed
);
175 *error_string
= talloc_asprintf(parent_ctx
,
176 "Failed to add enctype %d entry for "
177 "%s(kvno %d) to keytab: %s\n",
178 (int)enctypes
[i
], unparsed
,
179 kvno
, k5_error_string
);
182 talloc_free(k5_error_string
);
183 krb5_free_keyblock_contents(context
,
184 KRB5_KT_KEY(&entry
));
188 DEBUG(5, ("Added key (kvno %d) to keytab (enctype %d)\n",
189 kvno
, (int)enctypes
[i
]));
191 krb5_free_keyblock_contents(context
, KRB5_KT_KEY(&entry
));
196 static krb5_error_code
create_keytab(TALLOC_CTX
*parent_ctx
,
197 const char *samAccountName
,
199 const char *saltPrincipal
,
201 const char *new_secret
,
202 const char *old_secret
,
203 uint32_t supp_enctypes
,
204 uint32_t num_principals
,
205 krb5_principal
*principals
,
206 krb5_context context
,
209 const char **error_string
)
212 krb5_principal salt_princ
= NULL
;
213 krb5_enctype
*enctypes
;
217 /* There is no password here, so nothing to do */
221 mem_ctx
= talloc_new(parent_ctx
);
223 *error_string
= talloc_strdup(parent_ctx
,
224 "unable to allocate tmp_ctx for create_keytab");
228 /* The salt used to generate these entries may be different however,
230 ret
= salt_principal(mem_ctx
, samAccountName
, realm
, saltPrincipal
,
231 context
, &salt_princ
, error_string
);
233 talloc_free(mem_ctx
);
237 ret
= ms_suptypes_to_ietf_enctypes(mem_ctx
, supp_enctypes
, &enctypes
);
239 *error_string
= talloc_asprintf(parent_ctx
,
240 "create_keytab: generating list of "
241 "encryption types failed (%s)\n",
242 smb_get_krb5_error_message(context
,
247 ret
= keytab_add_keys(mem_ctx
,
250 salt_princ
, kvno
, new_secret
,
251 context
, enctypes
, keytab
, error_string
);
253 talloc_steal(parent_ctx
, *error_string
);
257 if (old_secret
&& add_old
&& kvno
!= 0) {
258 ret
= keytab_add_keys(mem_ctx
,
261 salt_princ
, kvno
- 1, old_secret
,
262 context
, enctypes
, keytab
, error_string
);
264 talloc_steal(parent_ctx
, *error_string
);
269 krb5_free_principal(context
, salt_princ
);
270 talloc_free(mem_ctx
);
274 krb5_error_code
smb_krb5_update_keytab(TALLOC_CTX
*parent_ctx
,
275 krb5_context context
,
276 const char *keytab_name
,
277 const char *samAccountName
,
281 const char *saltPrincipal
,
282 const char *new_secret
,
283 const char *old_secret
,
285 uint32_t supp_enctypes
,
286 bool delete_all_kvno
,
287 krb5_keytab
*_keytab
,
288 const char **error_string
)
292 bool found_previous
= false;
294 krb5_principal
*principals
= NULL
;
295 uint32_t num_principals
= 0;
298 if (keytab_name
== NULL
) {
302 ret
= krb5_kt_resolve(context
, keytab_name
, &keytab
);
304 *error_string
= smb_get_krb5_error_message(context
,
309 DEBUG(5, ("Opened keytab %s\n", keytab_name
));
311 tmp_ctx
= talloc_new(parent_ctx
);
316 upper_realm
= strupper_talloc(tmp_ctx
, realm
);
317 if (upper_realm
== NULL
) {
318 *error_string
= "Cannot allocate memory to upper case realm";
319 talloc_free(tmp_ctx
);
323 ret
= smb_krb5_create_principals_array(tmp_ctx
,
333 *error_string
= talloc_asprintf(parent_ctx
,
334 "Failed to load principals from ldb message: %s\n",
339 ret
= smb_krb5_remove_obsolete_keytab_entries(tmp_ctx
,
348 *error_string
= talloc_asprintf(parent_ctx
,
349 "Failed to remove old principals from keytab: %s\n",
354 if (!delete_all_kvno
) {
355 /* Create a new keytab. If during the cleanout we found
356 * entires for kvno -1, then don't try and duplicate them.
357 * Otherwise, add kvno, and kvno -1 */
359 ret
= create_keytab(tmp_ctx
,
360 samAccountName
, upper_realm
, saltPrincipal
,
361 kvno
, new_secret
, old_secret
,
366 found_previous
? false : true,
369 talloc_steal(parent_ctx
, *error_string
);
373 if (ret
== 0 && _keytab
!= NULL
) {
374 /* caller wants the keytab handle back */
379 keytab_principals_free(context
, num_principals
, principals
);
380 if (ret
!= 0 || _keytab
== NULL
) {
381 krb5_kt_close(context
, keytab
);
383 talloc_free(tmp_ctx
);
387 krb5_error_code
smb_krb5_create_memory_keytab(TALLOC_CTX
*parent_ctx
,
388 krb5_context context
,
389 const char *new_secret
,
390 const char *samAccountName
,
394 const char **keytab_name
)
397 TALLOC_CTX
*mem_ctx
= talloc_new(parent_ctx
);
398 const char *rand_string
;
399 const char *error_string
;
404 rand_string
= generate_random_str(mem_ctx
, 16);
406 talloc_free(mem_ctx
);
410 *keytab_name
= talloc_asprintf(mem_ctx
, "MEMORY:%s", rand_string
);
411 if (*keytab_name
== NULL
) {
412 talloc_free(mem_ctx
);
416 ret
= smb_krb5_update_keytab(mem_ctx
, context
,
417 *keytab_name
, samAccountName
, realm
,
418 NULL
, 0, NULL
, new_secret
, NULL
,
420 false, keytab
, &error_string
);
422 talloc_steal(parent_ctx
, *keytab_name
);
424 DEBUG(0, ("Failed to create in-memory keytab: %s\n",
428 talloc_free(mem_ctx
);