search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r11508: Removed incorrect patch hunk. Thanks to Andrew
[Samba.git] / source / libads / kerberos_keytab.c
blobf6ed107ee00dcff78f8700c1e5a13273008d1085
1 /*
2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
12
13 This program is free software; you can redistribute it and/or modify
14 it under the terms of the GNU General Public License as published by
15 the Free Software Foundation; either version 2 of the License, or
16 (at your option) any later version.
17
18 This program is distributed in the hope that it will be useful,
19 but WITHOUT ANY WARRANTY; without even the implied warranty of
20 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 GNU General Public License for more details.
22
23 You should have received a copy of the GNU General Public License
24 along with this program; if not, write to the Free Software
25 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 */
27
28 #include "includes.h"
29
30 #ifdef HAVE_KRB5
31
32 /**********************************************************************
33 Adds a single service principal, i.e. 'host' to the system keytab
34 ***********************************************************************/
35
36 int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
37 {
38 krb5_error_code ret = 0;
39 krb5_context context = NULL;
40 krb5_keytab keytab = NULL;
41 krb5_kt_cursor cursor;
42 krb5_keytab_entry kt_entry;
43 krb5_principal princ = NULL;
44 krb5_data password;
45 krb5_enctype *enctypes = NULL;
46 krb5_kvno kvno;
47
48 char *principal = NULL;
49 char *princ_s = NULL;
50 char *password_s = NULL;
51 #ifndef MAX_KEYTAB_NAME_LEN
52 #define MAX_KEYTAB_NAME_LEN 1100
53 #endif
54 char keytab_name[MAX_KEYTAB_NAME_LEN]; /* This MAX_NAME_LEN is a constant defined in krb5.h */
55 fstring my_fqdn;
56 int i;
57 char *ktprinc = NULL;
58
59 ZERO_STRUCT(kt_entry);
60 ZERO_STRUCT(cursor);
61
62 initialize_krb5_error_table();
63 ret = krb5_init_context(&context);
64 if (ret) {
65 DEBUG(1,("ads_keytab_add_entry: could not krb5_init_context: %s\n",error_message(ret)));
66 return -1;
67 }
68 #ifdef HAVE_WRFILE_KEYTAB /* MIT */
69 keytab_name[0] = 'W';
70 keytab_name[1] = 'R';
71 ret = krb5_kt_default_name(context, (char *) &keytab_name[2], MAX_KEYTAB_NAME_LEN - 4);
72 #else /* Heimdal */
73 ret = krb5_kt_default_name(context, (char *) &keytab_name[0], MAX_KEYTAB_NAME_LEN - 2);
74 #endif
75 if (ret) {
76 DEBUG(1,("ads_keytab_add_entry: krb5_kt_default_name failed (%s)\n", error_message(ret)));
77 goto out;
78 }
79 DEBUG(2,("ads_keytab_add_entry: Using default system keytab: %s\n", (char *) &keytab_name));
80 ret = krb5_kt_resolve(context, (char *) &keytab_name, &keytab);
81 if (ret) {
82 DEBUG(1,("ads_keytab_add_entry: krb5_kt_resolve failed (%s)\n", error_message(ret)));
83 goto out;
84 }
85
86 /* retrieve the password */
87 if (!secrets_init()) {
88 DEBUG(1,("ads_keytab_add_entry: secrets_init failed\n"));
89 ret = -1;
90 goto out;
91 }
92 password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
93 if (!password_s) {
94 DEBUG(1,("ads_keytab_add_entry: failed to fetch machine password\n"));
95 ret = -1;
96 goto out;
97 }
98 password.data = password_s;
99 password.length = strlen(password_s);
100
101 /* Construct our principal */
102 name_to_fqdn(my_fqdn, global_myname());
103 strlower_m(my_fqdn);
104
105 if (strchr_m(srvPrinc, '@')) {
106 /* It's a fully-named principal. */
107 asprintf(&princ_s, "%s", srvPrinc);
108 } else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
109 /* It's the machine account, as used by smbclient clients. */
110 asprintf(&princ_s, "%s@%s", srvPrinc, lp_realm());
111 } else {
112 /* It's a normal service principal. Add the SPN now so that we
113 * can obtain credentials for it and double-check the salt value
114 * used to generate the service's keys. */
115 asprintf(&princ_s, "%s/%s@%s", srvPrinc, my_fqdn, lp_realm());
116 /* Update the directory with the SPN */
117 DEBUG(3,("ads_keytab_add_entry: Attempting to add/update '%s'\n", princ_s));
118 if (!ADS_ERR_OK(ads_add_service_principal_name(ads, global_myname(), srvPrinc))) {
119 DEBUG(1,("ads_keytab_add_entry: ads_add_service_principal_name failed.\n"));
120 goto out;
121 }
122 }
123
124 ret = get_kerberos_allowed_etypes(context,&enctypes);
125 if (ret) {
126 DEBUG(1,("ads_keytab_add_entry: get_kerberos_allowed_etypes failed (%s)\n",error_message(ret)));
127 goto out;
128 }
129
130 /* Guess at how the KDC is salting keys for this principal. */
131 kerberos_derive_salting_principal(princ_s);
132
133 ret = krb5_parse_name(context, princ_s, &princ);
134 if (ret) {
135 DEBUG(1,("ads_keytab_add_entry: krb5_parse_name(%s) failed (%s)\n", princ_s, error_message(ret)));
136 goto out;
137 }
138
139 kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
140 if (kvno == -1) { /* -1 indicates failure, everything else is OK */
141 DEBUG(1,("ads_keytab_add_entry: ads_get_kvno failed to determine the system's kvno.\n"));
142 ret = -1;
143 goto out;
144 }
145
146 /* Seek and delete old keytab entries */
147 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
148 if (ret != KRB5_KT_END && ret != ENOENT ) {
149 DEBUG(3,("ads_keytab_add_entry: Will try to delete old keytab entries\n"));
150 while(!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
151 BOOL compare_name_ok = False;
152
153 ret = krb5_unparse_name(context, kt_entry.principal, &ktprinc);
154 if (ret) {
155 DEBUG(1,("ads_keytab_add_entry: krb5_unparse_name failed (%s)\n", error_message(ret)));
156 goto out;
157 }
158
159 /*---------------------------------------------------------------------------
160 * Save the entries with kvno - 1. This is what microsoft does
161 * to allow people with existing sessions that have kvno - 1 to still
162 * work. Otherwise, when the password for the machine changes, all
163 * kerberizied sessions will 'break' until either the client reboots or
164 * the client's session key expires and they get a new session ticket
165 * with the new kvno.
166 */
167
168 #ifdef HAVE_KRB5_KT_COMPARE
169 compare_name_ok = (krb5_kt_compare(context, &kt_entry, princ, 0, 0) == True);
170 #else
171 compare_name_ok = (strcmp(ktprinc, princ_s) == 0);
172 #endif
173
174 if (!compare_name_ok) {
175 DEBUG(10,("ads_keytab_add_entry: ignoring keytab entry principal %s, kvno = %d\n",
176 ktprinc, kt_entry.vno));
177 }
178
179 krb5_free_unparsed_name(context, ktprinc);
180 ktprinc = NULL;
181
182 if (compare_name_ok) {
183 if (kt_entry.vno == kvno - 1) {
184 DEBUG(5,("ads_keytab_add_entry: Saving previous (kvno %d) entry for principal: %s.\n",
185 kvno - 1, princ_s));
186 } else {
187
188 DEBUG(5,("ads_keytab_add_entry: Found old entry for principal: %s (kvno %d) - trying to remove it.\n",
189 princ_s, kt_entry.vno));
190 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
191 ZERO_STRUCT(cursor);
192 if (ret) {
193 DEBUG(1,("ads_keytab_add_entry: krb5_kt_end_seq_get() failed (%s)\n",
194 error_message(ret)));
195 goto out;
196 }
197 ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
198 if (ret) {
199 DEBUG(1,("ads_keytab_add_entry: krb5_kt_remove_entry failed (%s)\n",
200 error_message(ret)));
201 goto out;
202 }
203
204 DEBUG(5,("ads_keytab_add_entry: removed old entry for principal: %s (kvno %d).\n",
205 princ_s, kt_entry.vno));
206
207 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
208 if (ret) {
209 DEBUG(1,("ads_keytab_add_entry: krb5_kt_start_seq failed (%s)\n",
210 error_message(ret)));
211 goto out;
212 }
213 ret = smb_krb5_kt_free_entry(context, &kt_entry);
214 ZERO_STRUCT(kt_entry);
215 if (ret) {
216 DEBUG(1,("ads_keytab_add_entry: krb5_kt_remove_entry failed (%s)\n",
217 error_message(ret)));
218 goto out;
219 }
220 continue;
221 }
222 }
223
224 /* Not a match, just free this entry and continue. */
225 ret = smb_krb5_kt_free_entry(context, &kt_entry);
226 ZERO_STRUCT(kt_entry);
227 if (ret) {
228 DEBUG(1,("ads_keytab_add_entry: smb_krb5_kt_free_entry failed (%s)\n", error_message(ret)));
229 goto out;
230 }
231 }
232
233 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
234 ZERO_STRUCT(cursor);
235 if (ret) {
236 DEBUG(1,("ads_keytab_add_entry: krb5_kt_end_seq_get failed (%s)\n",error_message(ret)));
237 goto out;
238 }
239 }
240
241 /* Ensure we don't double free. */
242 ZERO_STRUCT(kt_entry);
243 ZERO_STRUCT(cursor);
244
245 /* If we get here, we have deleted all the old entries with kvno's not equal to the current kvno-1. */
246
247 /* Now add keytab entries for all encryption types */
248 for (i = 0; enctypes[i]; i++) {
249 krb5_keyblock *keyp;
250
251 #if !defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) && !defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK)
252 #error krb5_keytab_entry has no key or keyblock member
253 #endif
254 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
255 keyp = &kt_entry.key;
256 #endif
257 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
258 keyp = &kt_entry.keyblock;
259 #endif
260 if (create_kerberos_key_from_string(context, princ, &password, keyp, enctypes[i])) {
261 continue;
262 }
263
264 kt_entry.principal = princ;
265 kt_entry.vno = kvno;
266
267 DEBUG(3,("ads_keytab_add_entry: adding keytab entry for (%s) with encryption type (%d) and version (%d)\n",
268 princ_s, enctypes[i], kt_entry.vno));
269 ret = krb5_kt_add_entry(context, keytab, &kt_entry);
270 krb5_free_keyblock_contents(context, keyp);
271 ZERO_STRUCT(kt_entry);
272 if (ret) {
273 DEBUG(1,("ads_keytab_add_entry: adding entry to keytab failed (%s)\n", error_message(ret)));
274 goto out;
275 }
276 }
277
278 krb5_kt_close(context, keytab);
279 keytab = NULL; /* Done with keytab now. No double free. */
280
281 out:
282
283 SAFE_FREE(principal);
284 SAFE_FREE(password_s);
285 SAFE_FREE(princ_s);
286
287 {
288 krb5_keytab_entry zero_kt_entry;
289 ZERO_STRUCT(zero_kt_entry);
290 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
291 smb_krb5_kt_free_entry(context, &kt_entry);
292 }
293 }
294 if (princ) {
295 krb5_free_principal(context, princ);
296 }
297 if (enctypes) {
298 free_kerberos_etypes(context, enctypes);
299 }
300
301 {
302 krb5_kt_cursor zero_csr;
303 ZERO_STRUCT(zero_csr);
304 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
305 krb5_kt_end_seq_get(context, keytab, &cursor);
306 }
307 }
308 if (keytab) {
309 krb5_kt_close(context, keytab);
310 }
311 if (context) {
312 krb5_free_context(context);
313 }
314 return (int)ret;
315 }
316
317 /**********************************************************************
318 Flushes all entries from the system keytab.
319 ***********************************************************************/
320
321 int ads_keytab_flush(ADS_STRUCT *ads)
322 {
323 krb5_error_code ret = 0;
324 krb5_context context = NULL;
325 krb5_keytab keytab = NULL;
326 krb5_kt_cursor cursor;
327 krb5_keytab_entry kt_entry;
328 krb5_kvno kvno;
329 char keytab_name[MAX_KEYTAB_NAME_LEN];
330
331 ZERO_STRUCT(kt_entry);
332 ZERO_STRUCT(cursor);
333
334 initialize_krb5_error_table();
335 ret = krb5_init_context(&context);
336 if (ret) {
337 DEBUG(1,("ads_keytab_flush: could not krb5_init_context: %s\n",error_message(ret)));
338 return ret;
339 }
340 #ifdef HAVE_WRFILE_KEYTAB
341 keytab_name[0] = 'W';
342 keytab_name[1] = 'R';
343 ret = krb5_kt_default_name(context, (char *) &keytab_name[2], MAX_KEYTAB_NAME_LEN - 4);
344 #else
345 ret = krb5_kt_default_name(context, (char *) &keytab_name[0], MAX_KEYTAB_NAME_LEN - 2);
346 #endif
347 if (ret) {
348 DEBUG(1,("ads_keytab_flush: krb5_kt_default failed (%s)\n", error_message(ret)));
349 goto out;
350 }
351 DEBUG(3,("ads_keytab_flush: Using default keytab: %s\n", (char *) &keytab_name));
352 ret = krb5_kt_resolve(context, (char *) &keytab_name, &keytab);
353 if (ret) {
354 DEBUG(1,("ads_keytab_flush: krb5_kt_default failed (%s)\n", error_message(ret)));
355 goto out;
356 }
357 ret = krb5_kt_resolve(context, (char *) &keytab_name, &keytab);
358 if (ret) {
359 DEBUG(1,("ads_keytab_flush: krb5_kt_default failed (%s)\n", error_message(ret)));
360 goto out;
361 }
362
363 kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
364 if (kvno == -1) { /* -1 indicates a failure */
365 DEBUG(1,("ads_keytab_flush: Error determining the system's kvno.\n"));
366 goto out;
367 }
368
369 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
370 if (ret != KRB5_KT_END && ret != ENOENT) {
371 while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
372 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
373 ZERO_STRUCT(cursor);
374 if (ret) {
375 DEBUG(1,("ads_keytab_flush: krb5_kt_end_seq_get() failed (%s)\n",error_message(ret)));
376 goto out;
377 }
378 ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
379 if (ret) {
380 DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
381 goto out;
382 }
383 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
384 if (ret) {
385 DEBUG(1,("ads_keytab_flush: krb5_kt_start_seq failed (%s)\n",error_message(ret)));
386 goto out;
387 }
388 ret = smb_krb5_kt_free_entry(context, &kt_entry);
389 ZERO_STRUCT(kt_entry);
390 if (ret) {
391 DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
392 goto out;
393 }
394 }
395 }
396
397 /* Ensure we don't double free. */
398 ZERO_STRUCT(kt_entry);
399 ZERO_STRUCT(cursor);
400
401 if (!ADS_ERR_OK(ads_clear_service_principal_names(ads, global_myname()))) {
402 DEBUG(1,("ads_keytab_flush: Error while clearing service principal listings in LDAP.\n"));
403 goto out;
404 }
405
406 out:
407
408 {
409 krb5_keytab_entry zero_kt_entry;
410 ZERO_STRUCT(zero_kt_entry);
411 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
412 smb_krb5_kt_free_entry(context, &kt_entry);
413 }
414 }
415 {
416 krb5_kt_cursor zero_csr;
417 ZERO_STRUCT(zero_csr);
418 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
419 krb5_kt_end_seq_get(context, keytab, &cursor);
420 }
421 }
422 if (keytab) {
423 krb5_kt_close(context, keytab);
424 }
425 if (context) {
426 krb5_free_context(context);
427 }
428 return ret;
429 }
430
431 /**********************************************************************
432 Adds all the required service principals to the system keytab.
433 ***********************************************************************/
434
435 int ads_keytab_create_default(ADS_STRUCT *ads)
436 {
437 krb5_error_code ret = 0;
438 krb5_context context = NULL;
439 krb5_keytab keytab = NULL;
440 krb5_kt_cursor cursor;
441 krb5_keytab_entry kt_entry;
442 krb5_kvno kvno;
443 fstring my_fqdn, my_Fqdn, my_name, my_NAME, my_host_realm;
444 char *p_fqdn;
445 int i, found = 0;
446 char **oldEntries = NULL, *princ_s[26];
447
448 memset(princ_s, '\0', sizeof(princ_s));
449
450 ret = ads_keytab_add_entry(ads, "host");
451 if (ret) {
452 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.\n"));
453 return ret;
454 }
455 ret = ads_keytab_add_entry(ads, "cifs");
456 if (ret) {
457 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'cifs'.\n"));
458 return ret;
459 }
460
461 fstrcpy(my_name, global_myname());
462 strlower_m(my_name);
463
464 fstrcpy(my_NAME, global_myname());
465 strupper_m(my_NAME);
466
467 my_fqdn[0] = '\0';
468 name_to_fqdn(my_fqdn, global_myname());
469 strlower_m(my_fqdn);
470
471 p_fqdn = strchr_m(my_fqdn, '.');
472 fstrcpy(my_Fqdn, my_NAME);
473 if (p_fqdn) {
474 fstrcat(my_Fqdn, p_fqdn);
475 }
476
477 fstrcpy(my_host_realm, my_name);
478 fstrcat(my_host_realm, ".");
479 fstrcat(my_host_realm, lp_realm());
480 strlower_m(my_host_realm);
481
482 asprintf(&princ_s[0], "%s$@%s", my_name, lp_realm());
483 asprintf(&princ_s[1], "%s$@%s", my_NAME, lp_realm());
484 asprintf(&princ_s[2], "host/%s@%s", my_name, lp_realm());
485 asprintf(&princ_s[3], "host/%s@%s", my_NAME, lp_realm());
486 asprintf(&princ_s[4], "host/%s@%s", my_fqdn, lp_realm());
487 asprintf(&princ_s[5], "host/%s@%s", my_Fqdn, lp_realm());
488 asprintf(&princ_s[6], "HOST/%s@%s", my_name, lp_realm());
489 asprintf(&princ_s[7], "HOST/%s@%s", my_NAME, lp_realm());
490 asprintf(&princ_s[8], "HOST/%s@%s", my_fqdn, lp_realm());
491 asprintf(&princ_s[9], "HOST/%s@%s", my_Fqdn, lp_realm());
492 asprintf(&princ_s[10], "cifs/%s@%s", my_name, lp_realm());
493 asprintf(&princ_s[11], "cifs/%s@%s", my_NAME, lp_realm());
494 asprintf(&princ_s[12], "cifs/%s@%s", my_fqdn, lp_realm());
495 asprintf(&princ_s[13], "cifs/%s@%s", my_Fqdn, lp_realm());
496 asprintf(&princ_s[14], "CIFS/%s@%s", my_name, lp_realm());
497 asprintf(&princ_s[15], "CIFS/%s@%s", my_NAME, lp_realm());
498 asprintf(&princ_s[16], "CIFS/%s@%s", my_fqdn, lp_realm());
499 asprintf(&princ_s[17], "CIFS/%s@%s", my_Fqdn, lp_realm());
500 asprintf(&princ_s[18], "cifs/%s.%s@%s", my_name, lp_realm(), lp_realm());
501 asprintf(&princ_s[19], "CIFS/%s.%s@%s", my_name, lp_realm(), lp_realm());
502 asprintf(&princ_s[20], "host/%s.%s@%s", my_name, lp_realm(), lp_realm());
503 asprintf(&princ_s[21], "HOST/%s.%s@%s", my_name, lp_realm(), lp_realm());
504
505 /* when dnsdomain == realm, don't add duplicate principal */
506 if (!strequal(my_host_realm, my_fqdn)) {
507 asprintf(&princ_s[22], "cifs/%s@%s", my_host_realm, lp_realm());
508 asprintf(&princ_s[23], "CIFS/%s@%s", my_host_realm, lp_realm());
509 asprintf(&princ_s[24], "host/%s@%s", my_host_realm, lp_realm());
510 asprintf(&princ_s[25], "HOST/%s@%s", my_host_realm, lp_realm());
511 }
512
513 for (i = 0; i < sizeof(princ_s) / sizeof(princ_s[0]); i++) {
514 if (princ_s[i] != NULL) {
515 ret = ads_keytab_add_entry(ads, princ_s[i]);
516 if (ret != 0) {
517 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding '%s'.\n", princ_s[i]));
518 }
519 SAFE_FREE(princ_s[i]);
520 }
521 }
522
523 kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
524 if (kvno == -1) {
525 DEBUG(1,("ads_keytab_create_default: ads_get_kvno failed to determine the system's kvno.\n"));
526 return -1;
527 }
528
529 DEBUG(3,("ads_keytab_create_default: Searching for keytab entries to preserve and update.\n"));
530 /* Now loop through the keytab and update any other existing entries... */
531
532 ZERO_STRUCT(kt_entry);
533 ZERO_STRUCT(cursor);
534
535 initialize_krb5_error_table();
536 ret = krb5_init_context(&context);
537 if (ret) {
538 DEBUG(1,("ads_keytab_create_default: could not krb5_init_context: %s\n",error_message(ret)));
539 return ret;
540 }
541 ret = krb5_kt_default(context, &keytab);
542 if (ret) {
543 DEBUG(1,("ads_keytab_create_default: krb5_kt_default failed (%s)\n",error_message(ret)));
544 goto done;
545 }
546
547 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
548 if (ret != KRB5_KT_END && ret != ENOENT ) {
549 while ((ret = krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) == 0) {
550 smb_krb5_kt_free_entry(context, &kt_entry);
551 ZERO_STRUCT(kt_entry);
552 found++;
553 }
554 }
555 krb5_kt_end_seq_get(context, keytab, &cursor);
556 ZERO_STRUCT(cursor);
557
558 /*
559 * Hmmm. There is no "rewind" function for the keytab. This means we have a race condition
560 * where someone else could add entries after we've counted them. Re-open asap to minimise
561 * the race. JRA.
562 */
563
564 DEBUG(3, ("ads_keytab_create_default: Found %d entries in the keytab.\n", found));
565 if (!found) {
566 goto done;
567 }
568 oldEntries = SMB_MALLOC_ARRAY(char *, found );
569 if (!oldEntries) {
570 DEBUG(1,("ads_keytab_create_default: Failed to allocate space to store the old keytab entries (malloc failed?).\n"));
571 ret = -1;
572 goto done;
573 }
574 memset(oldEntries, '\0', found * sizeof(char *));
575
576 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
577 if (ret != KRB5_KT_END && ret != ENOENT ) {
578 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
579 if (kt_entry.vno != kvno) {
580 char *ktprinc = NULL;
581 char *p;
582
583 /* This returns a malloc'ed string in ktprinc. */
584 ret = krb5_unparse_name(context, kt_entry.principal, &ktprinc);
585 if (ret) {
586 DEBUG(1,("krb5_unparse_name failed (%s)\n", error_message(ret)));
587 goto done;
588 }
589 /*
590 * From looking at the krb5 source they don't seem to take locale
591 * or mb strings into account. Maybe this is because they assume utf8 ?
592 * In this case we may need to convert from utf8 to mb charset here ? JRA.
593 */
594 p = strchr_m(ktprinc, '@');
595 if (p) {
596 *p = '\0';
597 }
598
599 p = strchr_m(ktprinc, '/');
600 if (p) {
601 *p = '\0';
602 }
603 for (i = 0; i < found; i++) {
604 if (!oldEntries[i]) {
605 oldEntries[i] = ktprinc;
606 break;
607 }
608 if (!strcmp(oldEntries[i], ktprinc)) {
609 krb5_free_unparsed_name(context, ktprinc);
610 break;
611 }
612 }
613 if (i == found) {
614 krb5_free_unparsed_name(context, ktprinc);
615 }
616 }
617 smb_krb5_kt_free_entry(context, &kt_entry);
618 ZERO_STRUCT(kt_entry);
619 }
620 ret = 0;
621 for (i = 0; oldEntries[i]; i++) {
622 ret |= ads_keytab_add_entry(ads, oldEntries[i]);
623 krb5_free_unparsed_name(context, oldEntries[i]);
624 }
625 krb5_kt_end_seq_get(context, keytab, &cursor);
626 }
627 ZERO_STRUCT(cursor);
628
629 done:
630
631 SAFE_FREE(oldEntries);
632
633 {
634 krb5_keytab_entry zero_kt_entry;
635 ZERO_STRUCT(zero_kt_entry);
636 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
637 smb_krb5_kt_free_entry(context, &kt_entry);
638 }
639 }
640 {
641 krb5_kt_cursor zero_csr;
642 ZERO_STRUCT(zero_csr);
643 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
644 krb5_kt_end_seq_get(context, keytab, &cursor);
645 }
646 }
647 if (keytab) {
648 krb5_kt_close(context, keytab);
649 }
650 if (context) {
651 krb5_free_context(context);
652 }
653 return ret;
654 }
655 #endif /* HAVE_KRB5 */
Samba GIT mirror