search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
create-tarball: Adapt script to changed directory structure.
[Samba/gbeck.git] / source3 / libads / kerberos_keytab.c
blob883f5824452cb5fc4045e394110aab8180d9efdc
1 /*
2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
12 Copyright (C) Gerald Carter 2006
13
14 This program is free software; you can redistribute it and/or modify
15 it under the terms of the GNU General Public License as published by
16 the Free Software Foundation; either version 3 of the License, or
17 (at your option) any later version.
18
19 This program is distributed in the hope that it will be useful,
20 but WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 GNU General Public License for more details.
23
24 You should have received a copy of the GNU General Public License
25 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 */
27
28 #include "includes.h"
29
30 #ifdef HAVE_KRB5
31
32 /**********************************************************************
33 **********************************************************************/
34
35 int smb_krb5_kt_add_entry_ext(krb5_context context,
36 krb5_keytab keytab,
37 krb5_kvno kvno,
38 const char *princ_s,
39 krb5_enctype *enctypes,
40 krb5_data password,
41 bool no_salt,
42 bool keep_old_entries)
43 {
44 krb5_error_code ret = 0;
45 krb5_kt_cursor cursor;
46 krb5_keytab_entry kt_entry;
47 krb5_principal princ = NULL;
48 int i;
49 char *ktprinc = NULL;
50
51 ZERO_STRUCT(kt_entry);
52 ZERO_STRUCT(cursor);
53
54 ret = smb_krb5_parse_name(context, princ_s, &princ);
55 if (ret) {
56 DEBUG(1,("smb_krb5_kt_add_entry_ext: smb_krb5_parse_name(%s) failed (%s)\n", princ_s, error_message(ret)));
57 goto out;
58 }
59
60 /* Seek and delete old keytab entries */
61 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
62 if (ret != KRB5_KT_END && ret != ENOENT ) {
63 DEBUG(3,("smb_krb5_kt_add_entry_ext: Will try to delete old keytab entries\n"));
64 while(!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
65 bool compare_name_ok = False;
66
67 ret = smb_krb5_unparse_name(context, kt_entry.principal, &ktprinc);
68 if (ret) {
69 DEBUG(1,("smb_krb5_kt_add_entry_ext: smb_krb5_unparse_name failed (%s)\n",
70 error_message(ret)));
71 goto out;
72 }
73
74 /*---------------------------------------------------------------------------
75 * Save the entries with kvno - 1. This is what microsoft does
76 * to allow people with existing sessions that have kvno - 1 to still
77 * work. Otherwise, when the password for the machine changes, all
78 * kerberizied sessions will 'break' until either the client reboots or
79 * the client's session key expires and they get a new session ticket
80 * with the new kvno.
81 */
82
83 #ifdef HAVE_KRB5_KT_COMPARE
84 compare_name_ok = (krb5_kt_compare(context, &kt_entry, princ, 0, 0) == True);
85 #else
86 compare_name_ok = (strcmp(ktprinc, princ_s) == 0);
87 #endif
88
89 if (!compare_name_ok) {
90 DEBUG(10,("smb_krb5_kt_add_entry_ext: ignoring keytab entry principal %s, kvno = %d\n",
91 ktprinc, kt_entry.vno));
92 }
93
94 SAFE_FREE(ktprinc);
95
96 if (compare_name_ok) {
97 if (kt_entry.vno == kvno - 1) {
98 DEBUG(5,("smb_krb5_kt_add_entry_ext: Saving previous (kvno %d) entry for principal: %s.\n",
99 kvno - 1, princ_s));
100 } else if (!keep_old_entries) {
101 DEBUG(5,("smb_krb5_kt_add_entry_ext: Found old entry for principal: %s (kvno %d) - trying to remove it.\n",
102 princ_s, kt_entry.vno));
103 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
104 ZERO_STRUCT(cursor);
105 if (ret) {
106 DEBUG(1,("smb_krb5_kt_add_entry_ext: krb5_kt_end_seq_get() failed (%s)\n",
107 error_message(ret)));
108 goto out;
109 }
110 ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
111 if (ret) {
112 DEBUG(1,("smb_krb5_kt_add_entry_ext: krb5_kt_remove_entry failed (%s)\n",
113 error_message(ret)));
114 goto out;
115 }
116
117 DEBUG(5,("smb_krb5_kt_add_entry_ext: removed old entry for principal: %s (kvno %d).\n",
118 princ_s, kt_entry.vno));
119
120 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
121 if (ret) {
122 DEBUG(1,("smb_krb5_kt_add_entry_ext: krb5_kt_start_seq failed (%s)\n",
123 error_message(ret)));
124 goto out;
125 }
126 ret = smb_krb5_kt_free_entry(context, &kt_entry);
127 ZERO_STRUCT(kt_entry);
128 if (ret) {
129 DEBUG(1,("smb_krb5_kt_add_entry_ext: krb5_kt_remove_entry failed (%s)\n",
130 error_message(ret)));
131 goto out;
132 }
133 continue;
134 }
135 }
136
137 /* Not a match, just free this entry and continue. */
138 ret = smb_krb5_kt_free_entry(context, &kt_entry);
139 ZERO_STRUCT(kt_entry);
140 if (ret) {
141 DEBUG(1,("smb_krb5_kt_add_entry_ext: smb_krb5_kt_free_entry failed (%s)\n", error_message(ret)));
142 goto out;
143 }
144 }
145
146 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
147 ZERO_STRUCT(cursor);
148 if (ret) {
149 DEBUG(1,("smb_krb5_kt_add_entry_ext: krb5_kt_end_seq_get failed (%s)\n",error_message(ret)));
150 goto out;
151 }
152 }
153
154 /* Ensure we don't double free. */
155 ZERO_STRUCT(kt_entry);
156 ZERO_STRUCT(cursor);
157
158 /* If we get here, we have deleted all the old entries with kvno's not equal to the current kvno-1. */
159
160 /* Now add keytab entries for all encryption types */
161 for (i = 0; enctypes[i]; i++) {
162 krb5_keyblock *keyp;
163
164 keyp = KRB5_KT_KEY(&kt_entry);
165
166 if (create_kerberos_key_from_string(context, princ, &password, keyp, enctypes[i], no_salt)) {
167 continue;
168 }
169
170 kt_entry.principal = princ;
171 kt_entry.vno = kvno;
172
173 DEBUG(3,("smb_krb5_kt_add_entry_ext: adding keytab entry for (%s) with encryption type (%d) and version (%d)\n",
174 princ_s, enctypes[i], kt_entry.vno));
175 ret = krb5_kt_add_entry(context, keytab, &kt_entry);
176 krb5_free_keyblock_contents(context, keyp);
177 ZERO_STRUCT(kt_entry);
178 if (ret) {
179 DEBUG(1,("smb_krb5_kt_add_entry_ext: adding entry to keytab failed (%s)\n", error_message(ret)));
180 goto out;
181 }
182 }
183
184
185 out:
186 {
187 krb5_keytab_entry zero_kt_entry;
188 ZERO_STRUCT(zero_kt_entry);
189 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
190 smb_krb5_kt_free_entry(context, &kt_entry);
191 }
192 }
193 if (princ) {
194 krb5_free_principal(context, princ);
195 }
196
197 {
198 krb5_kt_cursor zero_csr;
199 ZERO_STRUCT(zero_csr);
200 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
201 krb5_kt_end_seq_get(context, keytab, &cursor);
202 }
203 }
204
205 return (int)ret;
206 }
207
208 static int smb_krb5_kt_add_entry(krb5_context context,
209 krb5_keytab keytab,
210 krb5_kvno kvno,
211 const char *princ_s,
212 krb5_enctype *enctypes,
213 krb5_data password)
214 {
215 return smb_krb5_kt_add_entry_ext(context,
216 keytab,
217 kvno,
218 princ_s,
219 enctypes,
220 password,
221 false,
222 false);
223 }
224
225 /**********************************************************************
226 Adds a single service principal, i.e. 'host' to the system keytab
227 ***********************************************************************/
228
229 int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
230 {
231 krb5_error_code ret = 0;
232 krb5_context context = NULL;
233 krb5_keytab keytab = NULL;
234 krb5_data password;
235 krb5_kvno kvno;
236 krb5_enctype enctypes[4] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, 0, 0 };
237 char *princ_s = NULL, *short_princ_s = NULL;
238 char *password_s = NULL;
239 char *my_fqdn;
240 TALLOC_CTX *ctx = NULL;
241 char *machine_name;
242
243 #if defined(ENCTYPE_ARCFOUR_HMAC)
244 enctypes[2] = ENCTYPE_ARCFOUR_HMAC;
245 #endif
246
247 initialize_krb5_error_table();
248 ret = krb5_init_context(&context);
249 if (ret) {
250 DEBUG(1,("ads_keytab_add_entry: could not krb5_init_context: %s\n",error_message(ret)));
251 return -1;
252 }
253
254 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
255 if (ret) {
256 DEBUG(1,("ads_keytab_add_entry: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
257 goto out;
258 }
259
260 /* retrieve the password */
261 if (!secrets_init()) {
262 DEBUG(1,("ads_keytab_add_entry: secrets_init failed\n"));
263 ret = -1;
264 goto out;
265 }
266 password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
267 if (!password_s) {
268 DEBUG(1,("ads_keytab_add_entry: failed to fetch machine password\n"));
269 ret = -1;
270 goto out;
271 }
272 ZERO_STRUCT(password);
273 password.data = password_s;
274 password.length = strlen(password_s);
275
276 /* we need the dNSHostName value here */
277
278 if ( (ctx = talloc_init("ads_keytab_add_entry")) == NULL ) {
279 DEBUG(0,("ads_keytab_add_entry: talloc() failed!\n"));
280 ret = -1;
281 goto out;
282 }
283
284 if ( (my_fqdn = ads_get_dnshostname( ads, ctx, global_myname())) == NULL ) {
285 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's dns name in AD!\n"));
286 ret = -1;
287 goto out;
288 }
289
290 if ( (machine_name = ads_get_samaccountname( ads, ctx, global_myname())) == NULL ) {
291 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's short name in AD!\n"));
292 ret = -1;
293 goto out;
294 }
295 /*strip the trailing '$' */
296 machine_name[strlen(machine_name)-1] = '\0';
297
298 /* Construct our principal */
299
300 if (strchr_m(srvPrinc, '@')) {
301 /* It's a fully-named principal. */
302 asprintf(&princ_s, "%s", srvPrinc);
303 } else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
304 /* It's the machine account, as used by smbclient clients. */
305 asprintf(&princ_s, "%s@%s", srvPrinc, lp_realm());
306 } else {
307 /* It's a normal service principal. Add the SPN now so that we
308 * can obtain credentials for it and double-check the salt value
309 * used to generate the service's keys. */
310
311 asprintf(&princ_s, "%s/%s@%s", srvPrinc, my_fqdn, lp_realm());
312 asprintf(&short_princ_s, "%s/%s@%s", srvPrinc, machine_name, lp_realm());
313
314 /* According to http://support.microsoft.com/kb/326985/en-us,
315 certain principal names are automatically mapped to the host/...
316 principal in the AD account. So only create these in the
317 keytab, not in AD. --jerry */
318
319 if ( !strequal( srvPrinc, "cifs" ) && !strequal(srvPrinc, "host" ) ) {
320 DEBUG(3,("ads_keytab_add_entry: Attempting to add/update '%s'\n", princ_s));
321
322 if (!ADS_ERR_OK(ads_add_service_principal_name(ads, global_myname(), my_fqdn, srvPrinc))) {
323 DEBUG(1,("ads_keytab_add_entry: ads_add_service_principal_name failed.\n"));
324 goto out;
325 }
326 }
327 }
328
329 kvno = (krb5_kvno) ads_get_machine_kvno(ads, global_myname());
330 if (kvno == -1) { /* -1 indicates failure, everything else is OK */
331 DEBUG(1,("ads_keytab_add_entry: ads_get_machine_kvno failed to determine the system's kvno.\n"));
332 ret = -1;
333 goto out;
334 }
335
336 /* add the fqdn principal to the keytab */
337
338 ret = smb_krb5_kt_add_entry( context, keytab, kvno, princ_s, enctypes, password );
339 if ( ret ) {
340 DEBUG(1,("ads_keytab_add_entry: Failed to add entry to keytab file\n"));
341 goto out;
342 }
343
344 /* add the short principal name if we have one */
345
346 if ( short_princ_s ) {
347 ret = smb_krb5_kt_add_entry( context, keytab, kvno, short_princ_s, enctypes, password );
348 if ( ret ) {
349 DEBUG(1,("ads_keytab_add_entry: Failed to add short entry to keytab file\n"));
350 goto out;
351 }
352 }
353
354 out:
355 SAFE_FREE( princ_s );
356 SAFE_FREE( short_princ_s );
357 TALLOC_FREE( ctx );
358
359 if (keytab) {
360 krb5_kt_close(context, keytab);
361 }
362 if (context) {
363 krb5_free_context(context);
364 }
365 return (int)ret;
366 }
367
368 /**********************************************************************
369 Flushes all entries from the system keytab.
370 ***********************************************************************/
371
372 int ads_keytab_flush(ADS_STRUCT *ads)
373 {
374 krb5_error_code ret = 0;
375 krb5_context context = NULL;
376 krb5_keytab keytab = NULL;
377 krb5_kt_cursor cursor;
378 krb5_keytab_entry kt_entry;
379 krb5_kvno kvno;
380
381 ZERO_STRUCT(kt_entry);
382 ZERO_STRUCT(cursor);
383
384 initialize_krb5_error_table();
385 ret = krb5_init_context(&context);
386 if (ret) {
387 DEBUG(1,("ads_keytab_flush: could not krb5_init_context: %s\n",error_message(ret)));
388 return ret;
389 }
390
391 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
392 if (ret) {
393 DEBUG(1,("ads_keytab_flush: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
394 goto out;
395 }
396
397 kvno = (krb5_kvno) ads_get_machine_kvno(ads, global_myname());
398 if (kvno == -1) { /* -1 indicates a failure */
399 DEBUG(1,("ads_keytab_flush: Error determining the system's kvno.\n"));
400 goto out;
401 }
402
403 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
404 if (ret != KRB5_KT_END && ret != ENOENT) {
405 while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
406 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
407 ZERO_STRUCT(cursor);
408 if (ret) {
409 DEBUG(1,("ads_keytab_flush: krb5_kt_end_seq_get() failed (%s)\n",error_message(ret)));
410 goto out;
411 }
412 ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
413 if (ret) {
414 DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
415 goto out;
416 }
417 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
418 if (ret) {
419 DEBUG(1,("ads_keytab_flush: krb5_kt_start_seq failed (%s)\n",error_message(ret)));
420 goto out;
421 }
422 ret = smb_krb5_kt_free_entry(context, &kt_entry);
423 ZERO_STRUCT(kt_entry);
424 if (ret) {
425 DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
426 goto out;
427 }
428 }
429 }
430
431 /* Ensure we don't double free. */
432 ZERO_STRUCT(kt_entry);
433 ZERO_STRUCT(cursor);
434
435 if (!ADS_ERR_OK(ads_clear_service_principal_names(ads, global_myname()))) {
436 DEBUG(1,("ads_keytab_flush: Error while clearing service principal listings in LDAP.\n"));
437 goto out;
438 }
439
440 out:
441
442 {
443 krb5_keytab_entry zero_kt_entry;
444 ZERO_STRUCT(zero_kt_entry);
445 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
446 smb_krb5_kt_free_entry(context, &kt_entry);
447 }
448 }
449 {
450 krb5_kt_cursor zero_csr;
451 ZERO_STRUCT(zero_csr);
452 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
453 krb5_kt_end_seq_get(context, keytab, &cursor);
454 }
455 }
456 if (keytab) {
457 krb5_kt_close(context, keytab);
458 }
459 if (context) {
460 krb5_free_context(context);
461 }
462 return ret;
463 }
464
465 /**********************************************************************
466 Adds all the required service principals to the system keytab.
467 ***********************************************************************/
468
469 int ads_keytab_create_default(ADS_STRUCT *ads)
470 {
471 krb5_error_code ret = 0;
472 krb5_context context = NULL;
473 krb5_keytab keytab = NULL;
474 krb5_kt_cursor cursor;
475 krb5_keytab_entry kt_entry;
476 krb5_kvno kvno;
477 int i, found = 0;
478 char *sam_account_name, *upn;
479 char **oldEntries = NULL, *princ_s[26];
480 TALLOC_CTX *ctx = NULL;
481 fstring machine_name;
482
483 memset(princ_s, '\0', sizeof(princ_s));
484
485 fstrcpy( machine_name, global_myname() );
486
487 /* these are the main ones we need */
488
489 if ( (ret = ads_keytab_add_entry(ads, "host") ) != 0 ) {
490 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.\n"));
491 return ret;
492 }
493
494
495 #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
496 really needs them and we will fall back to verifying against secrets.tdb */
497
498 if ( (ret = ads_keytab_add_entry(ads, "cifs")) != 0 ) {
499 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'cifs'.\n"));
500 return ret;
501 }
502 #endif
503
504 if ( (ctx = talloc_init("ads_keytab_create_default")) == NULL ) {
505 DEBUG(0,("ads_keytab_create_default: talloc() failed!\n"));
506 return -1;
507 }
508
509 /* now add the userPrincipalName and sAMAccountName entries */
510
511 if ( (sam_account_name = ads_get_samaccountname( ads, ctx, machine_name)) == NULL ) {
512 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's name in AD!\n"));
513 TALLOC_FREE( ctx );
514 return -1;
515 }
516
517 /* upper case the sAMAccountName to make it easier for apps to
518 know what case to use in the keytab file */
519
520 strupper_m( sam_account_name );
521
522 if ( (ret = ads_keytab_add_entry(ads, sam_account_name )) != 0 ) {
523 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding sAMAccountName (%s)\n",
524 sam_account_name));
525 return ret;
526 }
527
528 /* remember that not every machine account will have a upn */
529
530 upn = ads_get_upn( ads, ctx, machine_name);
531 if ( upn ) {
532 if ( (ret = ads_keytab_add_entry(ads, upn)) != 0 ) {
533 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding UPN (%s)\n",
534 upn));
535 TALLOC_FREE( ctx );
536 return ret;
537 }
538 }
539
540 TALLOC_FREE( ctx );
541
542 /* Now loop through the keytab and update any other existing entries... */
543
544 kvno = (krb5_kvno) ads_get_machine_kvno(ads, machine_name);
545 if (kvno == -1) {
546 DEBUG(1,("ads_keytab_create_default: ads_get_machine_kvno failed to determine the system's kvno.\n"));
547 return -1;
548 }
549
550 DEBUG(3,("ads_keytab_create_default: Searching for keytab entries to "
551 "preserve and update.\n"));
552
553 ZERO_STRUCT(kt_entry);
554 ZERO_STRUCT(cursor);
555
556 initialize_krb5_error_table();
557 ret = krb5_init_context(&context);
558 if (ret) {
559 DEBUG(1,("ads_keytab_create_default: could not krb5_init_context: %s\n",error_message(ret)));
560 return ret;
561 }
562
563 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
564 if (ret) {
565 DEBUG(1,("ads_keytab_create_default: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
566 goto done;
567 }
568
569 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
570 if (ret != KRB5_KT_END && ret != ENOENT ) {
571 while ((ret = krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) == 0) {
572 smb_krb5_kt_free_entry(context, &kt_entry);
573 ZERO_STRUCT(kt_entry);
574 found++;
575 }
576 }
577 krb5_kt_end_seq_get(context, keytab, &cursor);
578 ZERO_STRUCT(cursor);
579
580 /*
581 * Hmmm. There is no "rewind" function for the keytab. This means we have a race condition
582 * where someone else could add entries after we've counted them. Re-open asap to minimise
583 * the race. JRA.
584 */
585
586 DEBUG(3, ("ads_keytab_create_default: Found %d entries in the keytab.\n", found));
587 if (!found) {
588 goto done;
589 }
590 oldEntries = SMB_MALLOC_ARRAY(char *, found );
591 if (!oldEntries) {
592 DEBUG(1,("ads_keytab_create_default: Failed to allocate space to store the old keytab entries (malloc failed?).\n"));
593 ret = -1;
594 goto done;
595 }
596 memset(oldEntries, '\0', found * sizeof(char *));
597
598 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
599 if (ret != KRB5_KT_END && ret != ENOENT ) {
600 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
601 if (kt_entry.vno != kvno) {
602 char *ktprinc = NULL;
603 char *p;
604
605 /* This returns a malloc'ed string in ktprinc. */
606 ret = smb_krb5_unparse_name(context, kt_entry.principal, &ktprinc);
607 if (ret) {
608 DEBUG(1,("smb_krb5_unparse_name failed (%s)\n", error_message(ret)));
609 goto done;
610 }
611 /*
612 * From looking at the krb5 source they don't seem to take locale
613 * or mb strings into account. Maybe this is because they assume utf8 ?
614 * In this case we may need to convert from utf8 to mb charset here ? JRA.
615 */
616 p = strchr_m(ktprinc, '@');
617 if (p) {
618 *p = '\0';
619 }
620
621 p = strchr_m(ktprinc, '/');
622 if (p) {
623 *p = '\0';
624 }
625 for (i = 0; i < found; i++) {
626 if (!oldEntries[i]) {
627 oldEntries[i] = ktprinc;
628 break;
629 }
630 if (!strcmp(oldEntries[i], ktprinc)) {
631 SAFE_FREE(ktprinc);
632 break;
633 }
634 }
635 if (i == found) {
636 SAFE_FREE(ktprinc);
637 }
638 }
639 smb_krb5_kt_free_entry(context, &kt_entry);
640 ZERO_STRUCT(kt_entry);
641 }
642 ret = 0;
643 for (i = 0; oldEntries[i]; i++) {
644 ret |= ads_keytab_add_entry(ads, oldEntries[i]);
645 SAFE_FREE(oldEntries[i]);
646 }
647 krb5_kt_end_seq_get(context, keytab, &cursor);
648 }
649 ZERO_STRUCT(cursor);
650
651 done:
652
653 SAFE_FREE(oldEntries);
654
655 {
656 krb5_keytab_entry zero_kt_entry;
657 ZERO_STRUCT(zero_kt_entry);
658 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
659 smb_krb5_kt_free_entry(context, &kt_entry);
660 }
661 }
662 {
663 krb5_kt_cursor zero_csr;
664 ZERO_STRUCT(zero_csr);
665 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
666 krb5_kt_end_seq_get(context, keytab, &cursor);
667 }
668 }
669 if (keytab) {
670 krb5_kt_close(context, keytab);
671 }
672 if (context) {
673 krb5_free_context(context);
674 }
675 return ret;
676 }
677
678 /**********************************************************************
679 List system keytab.
680 ***********************************************************************/
681
682 int ads_keytab_list(const char *keytab_name)
683 {
684 krb5_error_code ret = 0;
685 krb5_context context = NULL;
686 krb5_keytab keytab = NULL;
687 krb5_kt_cursor cursor;
688 krb5_keytab_entry kt_entry;
689
690 ZERO_STRUCT(kt_entry);
691 ZERO_STRUCT(cursor);
692
693 initialize_krb5_error_table();
694 ret = krb5_init_context(&context);
695 if (ret) {
696 DEBUG(1,("ads_keytab_list: could not krb5_init_context: %s\n",error_message(ret)));
697 return ret;
698 }
699
700 ret = smb_krb5_open_keytab(context, keytab_name, False, &keytab);
701 if (ret) {
702 DEBUG(1,("ads_keytab_list: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
703 goto out;
704 }
705
706 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
707 if (ret) {
708 goto out;
709 }
710
711 printf("Vno Type Principal\n");
712
713 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
714
715 char *princ_s = NULL;
716 char *etype_s = NULL;
717 krb5_enctype enctype = 0;
718
719 ret = smb_krb5_unparse_name(context, kt_entry.principal, &princ_s);
720 if (ret) {
721 goto out;
722 }
723
724 enctype = smb_get_enctype_from_kt_entry(&kt_entry);
725
726 ret = smb_krb5_enctype_to_string(context, enctype, &etype_s);
727 if (ret) {
728 SAFE_FREE(princ_s);
729 goto out;
730 }
731
732 printf("%3d %s\t\t %s\n", kt_entry.vno, etype_s, princ_s);
733
734 SAFE_FREE(princ_s);
735 SAFE_FREE(etype_s);
736
737 ret = smb_krb5_kt_free_entry(context, &kt_entry);
738 if (ret) {
739 goto out;
740 }
741 }
742
743 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
744 if (ret) {
745 goto out;
746 }
747
748 /* Ensure we don't double free. */
749 ZERO_STRUCT(kt_entry);
750 ZERO_STRUCT(cursor);
751 out:
752
753 {
754 krb5_keytab_entry zero_kt_entry;
755 ZERO_STRUCT(zero_kt_entry);
756 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
757 smb_krb5_kt_free_entry(context, &kt_entry);
758 }
759 }
760 {
761 krb5_kt_cursor zero_csr;
762 ZERO_STRUCT(zero_csr);
763 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
764 krb5_kt_end_seq_get(context, keytab, &cursor);
765 }
766 }
767
768 if (keytab) {
769 krb5_kt_close(context, keytab);
770 }
771 if (context) {
772 krb5_free_context(context);
773 }
774 return ret;
775 }
776
777 #endif /* HAVE_KRB5 */
WIP