2 Unix SMB/CIFS implementation.
4 Kerberos utility functions
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "system/kerberos.h"
26 #include "auth/kerberos/kerberos.h"
27 #include "auth/kerberos/kerberos_srv_keytab.h"
29 static void keytab_principals_free(krb5_context context
, krb5_principal
*set
)
32 for (i
= 0; set
[i
] != NULL
; i
++) {
33 krb5_free_principal(context
, set
[i
]);
37 static krb5_error_code
principals_from_list(TALLOC_CTX
*parent_ctx
,
38 const char *samAccountName
,
40 const char **SPNs
, int num_SPNs
,
42 krb5_principal
**principals_out
,
43 const char **error_string
)
49 krb5_principal
*principals
= NULL
;
50 tmp_ctx
= talloc_new(parent_ctx
);
52 *error_string
= "Cannot allocate tmp_ctx";
57 *error_string
= "Cannot have a kerberos secret in "
58 "secrets.ldb without a realm";
63 upper_realm
= strupper_talloc(tmp_ctx
, realm
);
65 *error_string
= "Cannot allocate full upper case realm";
70 principals
= talloc_zero_array(tmp_ctx
, krb5_principal
,
71 num_SPNs
? (num_SPNs
+ 2) : 2);
73 for (i
= 0; num_SPNs
&& i
< num_SPNs
; i
++) {
74 ret
= krb5_parse_name(context
, SPNs
[i
], &principals
[i
]);
77 *error_string
= smb_get_krb5_error_message(context
, ret
,
84 ret
= krb5_make_principal(context
, &principals
[i
],
85 upper_realm
, samAccountName
,
88 *error_string
= smb_get_krb5_error_message(context
, ret
,
96 keytab_principals_free(context
, principals
);
98 *principals_out
= talloc_steal(parent_ctx
, principals
);
100 talloc_free(tmp_ctx
);
104 static krb5_error_code
salt_principal(TALLOC_CTX
*parent_ctx
,
105 const char *samAccountName
,
107 const char *saltPrincipal
,
108 krb5_context context
,
109 krb5_principal
*salt_princ
,
110 const char **error_string
)
114 char *machine_username
;
122 ret
= krb5_parse_name(context
, saltPrincipal
, salt_princ
);
124 *error_string
= smb_get_krb5_error_message(
125 context
, ret
, parent_ctx
);
130 if (!samAccountName
) {
131 (*error_string
) = "Cannot determine salt principal, no "
132 "saltPrincipal or samAccountName specified";
137 *error_string
= "Cannot have a kerberos secret in "
138 "secrets.ldb without a realm";
142 tmp_ctx
= talloc_new(parent_ctx
);
144 *error_string
= "Cannot allocate tmp_ctx";
148 machine_username
= talloc_strdup(tmp_ctx
, samAccountName
);
149 if (!machine_username
) {
150 *error_string
= "Cannot duplicate samAccountName";
151 talloc_free(tmp_ctx
);
155 if (machine_username
[strlen(machine_username
)-1] == '$') {
156 machine_username
[strlen(machine_username
)-1] = '\0';
159 lower_realm
= strlower_talloc(tmp_ctx
, realm
);
161 *error_string
= "Cannot allocate to lower case realm";
162 talloc_free(tmp_ctx
);
166 upper_realm
= strupper_talloc(tmp_ctx
, realm
);
168 *error_string
= "Cannot allocate to upper case realm";
169 talloc_free(tmp_ctx
);
173 salt_body
= talloc_asprintf(tmp_ctx
, "%s.%s",
174 machine_username
, lower_realm
);
176 *error_string
= "Cannot form salt principal body";
177 talloc_free(tmp_ctx
);
181 ret
= krb5_make_principal(context
, salt_princ
, upper_realm
,
182 "host", salt_body
, NULL
);
184 *error_string
= smb_get_krb5_error_message(context
,
188 talloc_free(tmp_ctx
);
192 /* Translate between the Microsoft msDS-SupportedEncryptionTypes values
193 * and the IETF encryption type values */
194 static krb5_enctype
ms_suptype_to_ietf_enctype(uint32_t enctype_bitmap
)
196 switch (enctype_bitmap
) {
198 return ENCTYPE_DES_CBC_CRC
;
200 return ENCTYPE_DES_CBC_MD5
;
201 case ENC_RC4_HMAC_MD5
:
202 return ENCTYPE_ARCFOUR_HMAC_MD5
;
203 case ENC_HMAC_SHA1_96_AES128
:
204 return ENCTYPE_AES128_CTS_HMAC_SHA1_96
;
205 case ENC_HMAC_SHA1_96_AES256
:
206 return ENCTYPE_AES256_CTS_HMAC_SHA1_96
;
212 /* Return an array of krb5_enctype values */
213 static krb5_error_code
ms_suptypes_to_ietf_enctypes(TALLOC_CTX
*mem_ctx
,
214 uint32_t enctype_bitmap
,
215 krb5_enctype
**enctypes
)
217 unsigned int i
, j
= 0;
218 *enctypes
= talloc_zero_array(mem_ctx
, krb5_enctype
,
219 (8 * sizeof(enctype_bitmap
)) + 1);
223 for (i
= 0; i
< (8 * sizeof(enctype_bitmap
)); i
++) {
224 uint32_t bit_value
= (1 << i
) & enctype_bitmap
;
225 if (bit_value
& enctype_bitmap
) {
226 (*enctypes
)[j
] = ms_suptype_to_ietf_enctype(bit_value
);
227 if (!(*enctypes
)[j
]) {
237 static krb5_error_code
keytab_add_keys(TALLOC_CTX
*parent_ctx
,
238 krb5_principal
*principals
,
239 krb5_principal salt_princ
,
241 const char *password_s
,
242 krb5_context context
,
243 krb5_enctype
*enctypes
,
245 const char **error_string
)
252 password
.data
= discard_const_p(char *, password_s
);
253 password
.length
= strlen(password_s
);
255 for (i
= 0; enctypes
[i
]; i
++) {
256 krb5_keytab_entry entry
;
260 ret
= create_kerberos_key_from_string_direct(context
,
261 salt_princ
, &password
,
262 &entry
.keyblock
, enctypes
[i
]);
269 for (p
= 0; principals
[p
]; p
++) {
271 entry
.principal
= principals
[p
];
272 ret
= krb5_kt_add_entry(context
, keytab
, &entry
);
274 char *k5_error_string
=
275 smb_get_krb5_error_message(context
,
277 krb5_unparse_name(context
,
278 principals
[p
], &unparsed
);
279 *error_string
= talloc_asprintf(parent_ctx
,
280 "Failed to add enctype %d entry for "
281 "%s(kvno %d) to keytab: %s\n",
282 (int)enctypes
[i
], unparsed
,
283 kvno
, k5_error_string
);
286 talloc_free(k5_error_string
);
287 krb5_free_keyblock_contents(context
,
292 DEBUG(5, ("Added key (kvno %d) to keytab (enctype %d)\n",
293 kvno
, (int)enctypes
[i
]));
295 krb5_free_keyblock_contents(context
, &entry
.keyblock
);
300 static krb5_error_code
create_keytab(TALLOC_CTX
*parent_ctx
,
301 const char *samAccountName
,
303 const char *saltPrincipal
,
305 const char *new_secret
,
306 const char *old_secret
,
307 uint32_t supp_enctypes
,
308 krb5_principal
*principals
,
309 krb5_context context
,
312 const char **error_string
)
315 krb5_principal salt_princ
= NULL
;
316 krb5_enctype
*enctypes
;
320 /* There is no password here, so nothing to do */
324 mem_ctx
= talloc_new(parent_ctx
);
326 *error_string
= "unable to allocate tmp_ctx for create_keytab";
330 /* The salt used to generate these entries may be different however,
332 ret
= salt_principal(mem_ctx
, samAccountName
, realm
, saltPrincipal
,
333 context
, &salt_princ
, error_string
);
335 talloc_free(mem_ctx
);
339 ret
= ms_suptypes_to_ietf_enctypes(mem_ctx
, supp_enctypes
, &enctypes
);
341 *error_string
= talloc_asprintf(parent_ctx
,
342 "create_keytab: generating list of "
343 "encryption types failed (%s)\n",
344 smb_get_krb5_error_message(context
,
349 ret
= keytab_add_keys(mem_ctx
, principals
,
350 salt_princ
, kvno
, new_secret
,
351 context
, enctypes
, keytab
, error_string
);
356 if (old_secret
&& add_old
&& kvno
!= 0) {
357 ret
= keytab_add_keys(mem_ctx
, principals
,
358 salt_princ
, kvno
- 1, old_secret
,
359 context
, enctypes
, keytab
, error_string
);
363 krb5_free_principal(context
, salt_princ
);
364 talloc_free(mem_ctx
);
369 * Walk the keytab, looking for entries of this principal name,
370 * with KVNO other than current kvno -1.
372 * These entries are now stale,
373 * we only keep the current and previous entries around.
375 * Inspired by the code in Samba3 for 'use kerberos keytab'.
378 static krb5_error_code
remove_old_entries(TALLOC_CTX
*parent_ctx
,
380 krb5_principal
*principals
,
381 bool delete_all_kvno
,
382 krb5_context context
,
384 bool *found_previous
,
385 const char **error_string
)
387 krb5_error_code ret
, ret2
;
388 krb5_kt_cursor cursor
;
389 TALLOC_CTX
*mem_ctx
= talloc_new(parent_ctx
);
395 *found_previous
= false;
397 /* for each entry in the keytab */
398 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
402 case HEIM_ERR_OPNOTSUPP
:
405 /* no point enumerating if there isn't anything here */
406 talloc_free(mem_ctx
);
409 *error_string
= talloc_asprintf(parent_ctx
,
410 "failed to open keytab for read of old entries: %s\n",
411 smb_get_krb5_error_message(context
, ret
, mem_ctx
));
412 talloc_free(mem_ctx
);
418 bool matched
= false;
419 krb5_keytab_entry entry
;
420 ret
= krb5_kt_next_entry(context
, keytab
, &entry
, &cursor
);
424 for (i
= 0; principals
[i
]; i
++) {
425 /* if it matches our principal */
426 if (krb5_kt_compare(context
, &entry
,
427 principals
[i
], 0, 0)) {
435 * it wasn't the one we were looking for anyway */
436 krb5_kt_free_entry(context
, &entry
);
440 /* delete it, if it is not kvno -1 */
441 if (entry
.vno
!= (kvno
- 1 )) {
442 /* Release the enumeration. We are going to
443 * have to start this from the top again,
444 * because deletes during enumeration may not
445 * always be consistent.
447 * Also, the enumeration locks a FILE: keytab
450 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
452 ret
= krb5_kt_remove_entry(context
, keytab
, &entry
);
453 krb5_kt_free_entry(context
, &entry
);
455 /* Deleted: Restart from the top */
456 ret2
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
458 krb5_kt_free_entry(context
, &entry
);
459 DEBUG(1, ("failed to restart enumeration of keytab: %s\n",
460 smb_get_krb5_error_message(context
,
463 talloc_free(mem_ctx
);
472 *found_previous
= true;
475 /* Free the entry, we don't need it any more */
476 krb5_kt_free_entry(context
, &entry
);
478 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
488 *error_string
= talloc_asprintf(parent_ctx
,
489 "failed in deleting old entries for principal: %s\n",
490 smb_get_krb5_error_message(context
, ret
, mem_ctx
));
492 talloc_free(mem_ctx
);
496 krb5_error_code
smb_krb5_update_keytab(TALLOC_CTX
*parent_ctx
,
497 krb5_context context
,
498 const char *keytab_name
,
499 const char *samAccountName
,
503 const char *saltPrincipal
,
504 const char *new_secret
,
505 const char *old_secret
,
507 uint32_t supp_enctypes
,
508 bool delete_all_kvno
,
509 krb5_keytab
*_keytab
,
510 const char **error_string
)
516 krb5_principal
*principals
= NULL
;
518 if (keytab_name
== NULL
) {
522 ret
= krb5_kt_resolve(context
, keytab_name
, &keytab
);
524 *error_string
= smb_get_krb5_error_message(context
,
529 DEBUG(5, ("Opened keytab %s\n", keytab_name
));
531 tmp_ctx
= talloc_new(parent_ctx
);
536 /* Get the principal we will store the new keytab entries under */
537 ret
= principals_from_list(tmp_ctx
,
538 samAccountName
, realm
, SPNs
, num_SPNs
,
539 context
, &principals
, error_string
);
542 *error_string
= talloc_asprintf(parent_ctx
,
543 "Failed to load principals from ldb message: %s\n",
548 ret
= remove_old_entries(tmp_ctx
, kvno
, principals
, delete_all_kvno
,
549 context
, keytab
, &found_previous
, error_string
);
551 *error_string
= talloc_asprintf(parent_ctx
,
552 "Failed to remove old principals from keytab: %s\n",
557 if (!delete_all_kvno
) {
558 /* Create a new keytab. If during the cleanout we found
559 * entires for kvno -1, then don't try and duplicate them.
560 * Otherwise, add kvno, and kvno -1 */
562 ret
= create_keytab(tmp_ctx
,
563 samAccountName
, realm
, saltPrincipal
,
564 kvno
, new_secret
, old_secret
,
565 supp_enctypes
, principals
,
567 found_previous
? false : true,
570 talloc_steal(parent_ctx
, *error_string
);
574 if (ret
== 0 && _keytab
!= NULL
) {
575 /* caller wants the keytab handle back */
580 keytab_principals_free(context
, principals
);
581 if (ret
!= 0 || _keytab
== NULL
) {
582 krb5_kt_close(context
, keytab
);
584 talloc_free(tmp_ctx
);
588 krb5_error_code
smb_krb5_create_memory_keytab(TALLOC_CTX
*parent_ctx
,
589 krb5_context context
,
590 const char *new_secret
,
591 const char *samAccountName
,
595 const char **keytab_name
)
598 TALLOC_CTX
*mem_ctx
= talloc_new(parent_ctx
);
599 const char *rand_string
;
600 const char *error_string
;
605 rand_string
= generate_random_str(mem_ctx
, 16);
607 talloc_free(mem_ctx
);
611 *keytab_name
= talloc_asprintf(mem_ctx
, "MEMORY:%s", rand_string
);
612 if (*keytab_name
== NULL
) {
613 talloc_free(mem_ctx
);
618 ret
= smb_krb5_update_keytab(mem_ctx
, context
,
619 *keytab_name
, samAccountName
, realm
,
620 NULL
, 0, NULL
, new_secret
, NULL
,
622 false, keytab
, &error_string
);
624 talloc_steal(parent_ctx
, *keytab_name
);
626 DEBUG(0, ("Failed to create in-memory keytab: %s\n",
630 talloc_free(mem_ctx
);