2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
12 Copyright (C) Gerald Carter 2006
14 This program is free software; you can redistribute it and/or modify
15 it under the terms of the GNU General Public License as published by
16 the Free Software Foundation; either version 3 of the License, or
17 (at your option) any later version.
19 This program is distributed in the hope that it will be useful,
20 but WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 GNU General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program. If not, see <http://www.gnu.org/licenses/>.
35 /**********************************************************************
36 **********************************************************************/
38 static krb5_error_code
seek_and_delete_old_entries(krb5_context context
,
44 bool keep_old_entries
)
47 krb5_kt_cursor cursor
;
48 krb5_kt_cursor zero_csr
;
49 krb5_keytab_entry kt_entry
;
50 krb5_keytab_entry zero_kt_entry
;
54 ZERO_STRUCT(zero_csr
);
55 ZERO_STRUCT(kt_entry
);
56 ZERO_STRUCT(zero_kt_entry
);
58 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
59 if (ret
== KRB5_KT_END
|| ret
== ENOENT
) {
64 DEBUG(3, (__location__
": Will try to delete old keytab entries\n"));
65 while (!krb5_kt_next_entry(context
, keytab
, &kt_entry
, &cursor
)) {
68 if (!flush
&& (princ_s
!= NULL
)) {
69 ret
= smb_krb5_unparse_name(talloc_tos(), context
,
73 DEBUG(1, (__location__
74 ": smb_krb5_unparse_name failed "
75 "(%s)\n", error_message(ret
)));
79 #ifdef HAVE_KRB5_KT_COMPARE
80 name_ok
= krb5_kt_compare(context
, &kt_entry
,
83 name_ok
= (strcmp(ktprinc
, princ_s
) == 0);
87 DEBUG(10, (__location__
": ignoring keytab "
88 "entry principal %s, kvno = %d\n",
89 ktprinc
, kt_entry
.vno
));
92 * just free this entry and continue. */
93 ret
= smb_krb5_kt_free_entry(context
,
95 ZERO_STRUCT(kt_entry
);
97 DEBUG(1, (__location__
98 ": smb_krb5_kt_free_entry "
100 error_message(ret
)));
104 TALLOC_FREE(ktprinc
);
108 TALLOC_FREE(ktprinc
);
111 /*------------------------------------------------------------
112 * Save the entries with kvno - 1. This is what microsoft does
113 * to allow people with existing sessions that have kvno - 1
114 * to still work. Otherwise, when the password for the machine
115 * changes, all kerberizied sessions will 'break' until either
116 * the client reboots or the client's session key expires and
117 * they get a new session ticket with the new kvno.
120 if (!flush
&& (kt_entry
.vno
== kvno
- 1)) {
121 DEBUG(5, (__location__
": Saving previous (kvno %d) "
122 "entry for principal: %s.\n",
127 if (keep_old_entries
) {
128 DEBUG(5, (__location__
": Saving old (kvno %d) "
129 "entry for principal: %s.\n",
134 DEBUG(5, (__location__
": Found old entry for principal: %s "
135 "(kvno %d) - trying to remove it.\n",
136 princ_s
, kt_entry
.vno
));
138 ret
= krb5_kt_end_seq_get(context
, keytab
, &cursor
);
141 DEBUG(1, (__location__
": krb5_kt_end_seq_get() "
142 "failed (%s)\n", error_message(ret
)));
145 ret
= krb5_kt_remove_entry(context
, keytab
, &kt_entry
);
147 DEBUG(1, (__location__
": krb5_kt_remove_entry() "
148 "failed (%s)\n", error_message(ret
)));
152 DEBUG(5, (__location__
": removed old entry for principal: "
153 "%s (kvno %d).\n", princ_s
, kt_entry
.vno
));
155 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
157 DEBUG(1, (__location__
": krb5_kt_start_seq() failed "
158 "(%s)\n", error_message(ret
)));
161 ret
= smb_krb5_kt_free_entry(context
, &kt_entry
);
162 ZERO_STRUCT(kt_entry
);
164 DEBUG(1, (__location__
": krb5_kt_remove_entry() "
165 "failed (%s)\n", error_message(ret
)));
171 if (memcmp(&zero_kt_entry
, &kt_entry
, sizeof(krb5_keytab_entry
))) {
172 smb_krb5_kt_free_entry(context
, &kt_entry
);
175 if (memcmp(&cursor
, &zero_csr
, sizeof(krb5_kt_cursor
)) != 0) {
176 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
183 static int smb_krb5_kt_add_entry(krb5_context context
,
187 krb5_enctype
*enctypes
,
190 bool keep_old_entries
)
193 krb5_keytab_entry kt_entry
;
194 krb5_principal princ
= NULL
;
197 ZERO_STRUCT(kt_entry
);
199 ret
= smb_krb5_parse_name(context
, princ_s
, &princ
);
201 DEBUG(1, (__location__
": smb_krb5_parse_name(%s) "
202 "failed (%s)\n", princ_s
, error_message(ret
)));
206 /* Seek and delete old keytab entries */
207 ret
= seek_and_delete_old_entries(context
, keytab
, kvno
,
208 princ_s
, princ
, false,
214 /* If we get here, we have deleted all the old entries with kvno's
215 * not equal to the current kvno-1. */
217 /* Now add keytab entries for all encryption types */
218 for (i
= 0; enctypes
[i
]; i
++) {
221 keyp
= KRB5_KT_KEY(&kt_entry
);
223 if (create_kerberos_key_from_string(context
, princ
,
225 enctypes
[i
], no_salt
)) {
229 kt_entry
.principal
= princ
;
232 DEBUG(3, (__location__
": adding keytab entry for (%s) with "
233 "encryption type (%d) and version (%d)\n",
234 princ_s
, enctypes
[i
], kt_entry
.vno
));
235 ret
= krb5_kt_add_entry(context
, keytab
, &kt_entry
);
236 krb5_free_keyblock_contents(context
, keyp
);
237 ZERO_STRUCT(kt_entry
);
239 DEBUG(1, (__location__
": adding entry to keytab "
240 "failed (%s)\n", error_message(ret
)));
247 krb5_free_principal(context
, princ
);
255 /**********************************************************************
256 Adds a single service principal, i.e. 'host' to the system keytab
257 ***********************************************************************/
259 int ads_keytab_add_entry(ADS_STRUCT
*ads
, const char *srvPrinc
)
261 krb5_error_code ret
= 0;
262 krb5_context context
= NULL
;
263 krb5_keytab keytab
= NULL
;
266 krb5_enctype enctypes
[6] = {
269 #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
270 ENCTYPE_AES128_CTS_HMAC_SHA1_96
,
272 #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
273 ENCTYPE_AES256_CTS_HMAC_SHA1_96
,
275 ENCTYPE_ARCFOUR_HMAC
,
278 char *princ_s
= NULL
;
279 char *short_princ_s
= NULL
;
280 char *password_s
= NULL
;
282 TALLOC_CTX
*tmpctx
= NULL
;
286 initialize_krb5_error_table();
287 ret
= krb5_init_context(&context
);
289 DEBUG(1, (__location__
": could not krb5_init_context: %s\n",
290 error_message(ret
)));
294 ret
= smb_krb5_open_keytab(context
, NULL
, True
, &keytab
);
296 DEBUG(1, (__location__
": smb_krb5_open_keytab failed (%s)\n",
297 error_message(ret
)));
301 /* retrieve the password */
302 if (!secrets_init()) {
303 DEBUG(1, (__location__
": secrets_init failed\n"));
307 password_s
= secrets_fetch_machine_password(lp_workgroup(), NULL
, NULL
);
309 DEBUG(1, (__location__
": failed to fetch machine password\n"));
313 ZERO_STRUCT(password
);
314 password
.data
= password_s
;
315 password
.length
= strlen(password_s
);
317 /* we need the dNSHostName value here */
318 tmpctx
= talloc_init(__location__
);
320 DEBUG(0, (__location__
": talloc_init() failed!\n"));
325 my_fqdn
= ads_get_dnshostname(ads
, tmpctx
, lp_netbios_name());
327 DEBUG(0, (__location__
": unable to determine machine "
328 "account's dns name in AD!\n"));
333 machine_name
= ads_get_samaccountname(ads
, tmpctx
, lp_netbios_name());
335 DEBUG(0, (__location__
": unable to determine machine "
336 "account's short name in AD!\n"));
340 /*strip the trailing '$' */
341 machine_name
[strlen(machine_name
)-1] = '\0';
343 /* Construct our principal */
344 if (strchr_m(srvPrinc
, '@')) {
345 /* It's a fully-named principal. */
346 princ_s
= talloc_asprintf(tmpctx
, "%s", srvPrinc
);
351 } else if (srvPrinc
[strlen(srvPrinc
)-1] == '$') {
352 /* It's the machine account, as used by smbclient clients. */
353 princ_s
= talloc_asprintf(tmpctx
, "%s@%s",
354 srvPrinc
, lp_realm());
360 /* It's a normal service principal. Add the SPN now so that we
361 * can obtain credentials for it and double-check the salt value
362 * used to generate the service's keys. */
364 princ_s
= talloc_asprintf(tmpctx
, "%s/%s@%s",
365 srvPrinc
, my_fqdn
, lp_realm());
370 short_princ_s
= talloc_asprintf(tmpctx
, "%s/%s@%s",
371 srvPrinc
, machine_name
,
378 /* According to http://support.microsoft.com/kb/326985/en-us,
379 certain principal names are automatically mapped to the
380 host/... principal in the AD account.
381 So only create these in the keytab, not in AD. --jerry */
383 if (!strequal(srvPrinc
, "cifs") &&
384 !strequal(srvPrinc
, "host")) {
385 DEBUG(3, (__location__
": Attempting to add/update "
388 aderr
= ads_add_service_principal_name(ads
,
389 lp_netbios_name(), my_fqdn
, srvPrinc
);
390 if (!ADS_ERR_OK(aderr
)) {
391 DEBUG(1, (__location__
": failed to "
392 "ads_add_service_principal_name.\n"));
398 kvno
= (krb5_kvno
)ads_get_machine_kvno(ads
, lp_netbios_name());
400 /* -1 indicates failure, everything else is OK */
401 DEBUG(1, (__location__
": ads_get_machine_kvno failed to "
402 "determine the system's kvno.\n"));
407 /* add the fqdn principal to the keytab */
408 ret
= smb_krb5_kt_add_entry(context
, keytab
, kvno
,
409 princ_s
, enctypes
, password
,
412 DEBUG(1, (__location__
": Failed to add entry to keytab\n"));
416 /* add the short principal name if we have one */
418 ret
= smb_krb5_kt_add_entry(context
, keytab
, kvno
,
419 short_princ_s
, enctypes
, password
,
422 DEBUG(1, (__location__
423 ": Failed to add short entry to keytab\n"));
432 krb5_kt_close(context
, keytab
);
435 krb5_free_context(context
);
440 /**********************************************************************
441 Flushes all entries from the system keytab.
442 ***********************************************************************/
444 int ads_keytab_flush(ADS_STRUCT
*ads
)
446 krb5_error_code ret
= 0;
447 krb5_context context
= NULL
;
448 krb5_keytab keytab
= NULL
;
452 initialize_krb5_error_table();
453 ret
= krb5_init_context(&context
);
455 DEBUG(1, (__location__
": could not krb5_init_context: %s\n",
456 error_message(ret
)));
460 ret
= smb_krb5_open_keytab(context
, NULL
, True
, &keytab
);
462 DEBUG(1, (__location__
": smb_krb5_open_keytab failed (%s)\n",
463 error_message(ret
)));
467 kvno
= (krb5_kvno
)ads_get_machine_kvno(ads
, lp_netbios_name());
469 /* -1 indicates a failure */
470 DEBUG(1, (__location__
": Error determining the kvno.\n"));
474 /* Seek and delete old keytab entries */
475 ret
= seek_and_delete_old_entries(context
, keytab
, kvno
,
476 NULL
, NULL
, true, false);
481 aderr
= ads_clear_service_principal_names(ads
, lp_netbios_name());
482 if (!ADS_ERR_OK(aderr
)) {
483 DEBUG(1, (__location__
": Error while clearing service "
484 "principal listings in LDAP.\n"));
490 krb5_kt_close(context
, keytab
);
493 krb5_free_context(context
);
498 /**********************************************************************
499 Adds all the required service principals to the system keytab.
500 ***********************************************************************/
502 int ads_keytab_create_default(ADS_STRUCT
*ads
)
504 krb5_error_code ret
= 0;
505 krb5_context context
= NULL
;
506 krb5_keytab keytab
= NULL
;
507 krb5_kt_cursor cursor
;
508 krb5_keytab_entry kt_entry
;
511 char *sam_account_name
, *upn
;
512 char **oldEntries
= NULL
, *princ_s
[26];
513 TALLOC_CTX
*tmpctx
= NULL
;
516 /* these are the main ones we need */
517 ret
= ads_keytab_add_entry(ads
, "host");
519 DEBUG(1, (__location__
": ads_keytab_add_entry failed while "
520 "adding 'host' principal.\n"));
525 #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
526 really needs them and we will fall back to verifying against
529 ret
= ads_keytab_add_entry(ads
, "cifs"));
531 DEBUG(1, (__location__
": ads_keytab_add_entry failed while "
532 "adding 'cifs'.\n"));
537 memset(princ_s
, '\0', sizeof(princ_s
));
538 ZERO_STRUCT(kt_entry
);
541 initialize_krb5_error_table();
542 ret
= krb5_init_context(&context
);
544 DEBUG(1, (__location__
": could not krb5_init_context: %s\n",
545 error_message(ret
)));
549 tmpctx
= talloc_init(__location__
);
551 DEBUG(0, (__location__
": talloc_init() failed!\n"));
556 machine_name
= talloc_strdup(tmpctx
, lp_netbios_name());
562 /* now add the userPrincipalName and sAMAccountName entries */
563 sam_account_name
= ads_get_samaccountname(ads
, tmpctx
, machine_name
);
564 if (!sam_account_name
) {
565 DEBUG(0, (__location__
": unable to determine machine "
566 "account's name in AD!\n"));
571 /* upper case the sAMAccountName to make it easier for apps to
572 know what case to use in the keytab file */
573 if (!strupper_m(sam_account_name
)) {
578 ret
= ads_keytab_add_entry(ads
, sam_account_name
);
580 DEBUG(1, (__location__
": ads_keytab_add_entry() failed "
581 "while adding sAMAccountName (%s)\n",
586 /* remember that not every machine account will have a upn */
587 upn
= ads_get_upn(ads
, tmpctx
, machine_name
);
589 ret
= ads_keytab_add_entry(ads
, upn
);
591 DEBUG(1, (__location__
": ads_keytab_add_entry() "
592 "failed while adding UPN (%s)\n", upn
));
597 /* Now loop through the keytab and update any other existing entries */
598 kvno
= (krb5_kvno
)ads_get_machine_kvno(ads
, machine_name
);
600 DEBUG(1, (__location__
": ads_get_machine_kvno() failed to "
601 "determine the system's kvno.\n"));
605 DEBUG(3, (__location__
": Searching for keytab entries to preserve "
608 ret
= smb_krb5_open_keytab(context
, NULL
, True
, &keytab
);
610 DEBUG(1, (__location__
": smb_krb5_open_keytab failed (%s)\n",
611 error_message(ret
)));
615 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
616 if (ret
!= KRB5_KT_END
&& ret
!= ENOENT
) {
617 while ((ret
= krb5_kt_next_entry(context
, keytab
,
618 &kt_entry
, &cursor
)) == 0) {
619 smb_krb5_kt_free_entry(context
, &kt_entry
);
620 ZERO_STRUCT(kt_entry
);
624 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
628 * Hmmm. There is no "rewind" function for the keytab. This means we
629 * have a race condition where someone else could add entries after
630 * we've counted them. Re-open asap to minimise the race. JRA.
632 DEBUG(3, (__location__
": Found %d entries in the keytab.\n", found
));
637 oldEntries
= talloc_array(tmpctx
, char *, found
);
639 DEBUG(1, (__location__
": Failed to allocate space to store "
640 "the old keytab entries (talloc failed?).\n"));
644 memset(oldEntries
, '\0', found
* sizeof(char *));
646 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
647 if (ret
== KRB5_KT_END
|| ret
== ENOENT
) {
648 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
653 while (krb5_kt_next_entry(context
, keytab
, &kt_entry
, &cursor
) == 0) {
654 if (kt_entry
.vno
!= kvno
) {
655 char *ktprinc
= NULL
;
658 /* This returns a malloc'ed string in ktprinc. */
659 ret
= smb_krb5_unparse_name(oldEntries
, context
,
663 DEBUG(1, (__location__
664 ": smb_krb5_unparse_name failed "
665 "(%s)\n", error_message(ret
)));
669 * From looking at the krb5 source they don't seem to
670 * take locale or mb strings into account.
671 * Maybe this is because they assume utf8 ?
672 * In this case we may need to convert from utf8 to
673 * mb charset here ? JRA.
675 p
= strchr_m(ktprinc
, '@');
680 p
= strchr_m(ktprinc
, '/');
684 for (i
= 0; i
< found
; i
++) {
685 if (!oldEntries
[i
]) {
686 oldEntries
[i
] = ktprinc
;
689 if (!strcmp(oldEntries
[i
], ktprinc
)) {
690 TALLOC_FREE(ktprinc
);
695 TALLOC_FREE(ktprinc
);
698 smb_krb5_kt_free_entry(context
, &kt_entry
);
699 ZERO_STRUCT(kt_entry
);
702 for (i
= 0; oldEntries
[i
]; i
++) {
703 ret
|= ads_keytab_add_entry(ads
, oldEntries
[i
]);
704 TALLOC_FREE(oldEntries
[i
]);
706 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
710 TALLOC_FREE(oldEntries
);
714 krb5_keytab_entry zero_kt_entry
;
715 ZERO_STRUCT(zero_kt_entry
);
716 if (memcmp(&zero_kt_entry
, &kt_entry
,
717 sizeof(krb5_keytab_entry
))) {
718 smb_krb5_kt_free_entry(context
, &kt_entry
);
722 krb5_kt_cursor zero_csr
;
723 ZERO_STRUCT(zero_csr
);
724 if ((memcmp(&cursor
, &zero_csr
,
725 sizeof(krb5_kt_cursor
)) != 0) && keytab
) {
726 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
730 krb5_kt_close(context
, keytab
);
733 krb5_free_context(context
);
738 #endif /* HAVE_ADS */
740 /**********************************************************************
742 ***********************************************************************/
744 int ads_keytab_list(const char *keytab_name
)
746 krb5_error_code ret
= 0;
747 krb5_context context
= NULL
;
748 krb5_keytab keytab
= NULL
;
749 krb5_kt_cursor cursor
;
750 krb5_keytab_entry kt_entry
;
752 ZERO_STRUCT(kt_entry
);
755 initialize_krb5_error_table();
756 ret
= krb5_init_context(&context
);
758 DEBUG(1, (__location__
": could not krb5_init_context: %s\n",
759 error_message(ret
)));
763 ret
= smb_krb5_open_keytab(context
, keytab_name
, False
, &keytab
);
765 DEBUG(1, (__location__
": smb_krb5_open_keytab failed (%s)\n",
766 error_message(ret
)));
770 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
776 printf("Vno Type Principal\n");
778 while (krb5_kt_next_entry(context
, keytab
, &kt_entry
, &cursor
) == 0) {
780 char *princ_s
= NULL
;
781 char *etype_s
= NULL
;
782 krb5_enctype enctype
= 0;
784 ret
= smb_krb5_unparse_name(talloc_tos(), context
,
785 kt_entry
.principal
, &princ_s
);
790 enctype
= smb_get_enctype_from_kt_entry(&kt_entry
);
792 ret
= smb_krb5_enctype_to_string(context
, enctype
, &etype_s
);
794 (asprintf(&etype_s
, "UNKNOWN: %d\n", enctype
) == -1)) {
795 TALLOC_FREE(princ_s
);
799 printf("%3d %-43s %s\n", kt_entry
.vno
, etype_s
, princ_s
);
801 TALLOC_FREE(princ_s
);
804 ret
= smb_krb5_kt_free_entry(context
, &kt_entry
);
810 ret
= krb5_kt_end_seq_get(context
, keytab
, &cursor
);
815 /* Ensure we don't double free. */
816 ZERO_STRUCT(kt_entry
);
821 krb5_keytab_entry zero_kt_entry
;
822 ZERO_STRUCT(zero_kt_entry
);
823 if (memcmp(&zero_kt_entry
, &kt_entry
,
824 sizeof(krb5_keytab_entry
))) {
825 smb_krb5_kt_free_entry(context
, &kt_entry
);
829 krb5_kt_cursor zero_csr
;
830 ZERO_STRUCT(zero_csr
);
831 if ((memcmp(&cursor
, &zero_csr
,
832 sizeof(krb5_kt_cursor
)) != 0) && keytab
) {
833 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
838 krb5_kt_close(context
, keytab
);
841 krb5_free_context(context
);
846 #endif /* HAVE_KRB5 */