python/samba/netcmd/domain/keytab.py

   1 # domain management - domain keytab
   2 #
   3 # Copyright Matthias Dieter Wallnoefer 2009
   4 # Copyright Andrew Kroeger 2009
   5 # Copyright Jelmer Vernooij 2007-2012
   6 # Copyright Giampaolo Lauria 2011
   7 # Copyright Matthieu Patou <mat@matws.net> 2011
   8 # Copyright Andrew Bartlett 2008-2015
   9 # Copyright Stefan Metzmacher 2012
  10 #
  11 # This program is free software; you can redistribute it and/or modify
  12 # it under the terms of the GNU General Public License as published by
  13 # the Free Software Foundation; either version 3 of the License, or
  14 # (at your option) any later version.
  15 #
  16 # This program is distributed in the hope that it will be useful,
  17 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19 # GNU General Public License for more details.
  20 #
  21 # You should have received a copy of the GNU General Public License
  22 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  23 #
  24
  25 import samba.getopt as options
  26 from samba import enable_net_export_keytab, NTSTATUSError
  27 from samba.net import Net
  28 from samba.netcmd import Command, CommandError, Option
  29
  30 try:
  31     enable_net_export_keytab()
  32 except ImportError:
  33     cmd_domain_export_keytab = None
  34 else:
  35     class cmd_domain_export_keytab(Command):
  36         """Dump Kerberos keys of the domain into a keytab."""
  37
  38         synopsis = "%prog <keytab> [options]"
  39
  40         takes_optiongroups = {
  41             "sambaopts": options.SambaOptions,
  42             "credopts": options.CredentialsOptions,
  43             "hostopts": options.HostOptions,
  44             "versionopts": options.VersionOptions,
  45         }
  46
  47         takes_options = [
  48             Option("--principal", help="extract only this principal", type=str),
  49             Option("--keep-stale-entries", help="keep stale keys in keytab (useful for collecting keys for Wireshark)", action="store_true"),
  50             Option("--only-current-keys",
  51                    help="This avoids exporting old and older keys (useful for keytabs used by kinit)",
  52                    action="store_true"),
  53         ]
  54
  55         takes_args = ["keytab"]
  56
  57         def run(self,
  58                 keytab,
  59                 credopts=None,
  60                 sambaopts=None,
  61                 versionopts=None,
  62                 hostopts=None,
  63                 principal=None,
  64                 keep_stale_entries=None,
  65                 only_current_keys=None):
  66             lp = sambaopts.get_loadparm()
  67             net = Net(None, lp)
  68             samdb = self.ldb_connect(hostopts, sambaopts, credopts)
  69             try:
  70                 net.export_keytab(samdb=samdb,
  71                                   keytab=keytab,
  72                                   principal=principal,
  73                                   keep_stale_entries=keep_stale_entries,
  74                                   only_current_keys=only_current_keys)
  75             except NTSTATUSError as error:
  76                 raise CommandError(f"Failed to export domain keys into keytab {keytab}: {error.args[1]}")