2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
12 Copyright (C) Gerald Carter 2006
14 This program is free software; you can redistribute it and/or modify
15 it under the terms of the GNU General Public License as published by
16 the Free Software Foundation; either version 3 of the License, or
17 (at your option) any later version.
19 This program is distributed in the hope that it will be useful,
20 but WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 GNU General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program. If not, see <http://www.gnu.org/licenses/>.
35 /**********************************************************************
36 **********************************************************************/
38 static krb5_error_code
seek_and_delete_old_entries(krb5_context context
,
44 bool keep_old_entries
)
47 krb5_kt_cursor cursor
;
48 krb5_kt_cursor zero_csr
;
49 krb5_keytab_entry kt_entry
;
50 krb5_keytab_entry zero_kt_entry
;
54 ZERO_STRUCT(zero_csr
);
55 ZERO_STRUCT(kt_entry
);
56 ZERO_STRUCT(zero_kt_entry
);
58 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
59 if (ret
== KRB5_KT_END
|| ret
== ENOENT
) {
64 DEBUG(3, (__location__
": Will try to delete old keytab entries\n"));
65 while (!krb5_kt_next_entry(context
, keytab
, &kt_entry
, &cursor
)) {
68 if (!flush
&& (princ_s
!= NULL
)) {
69 ret
= smb_krb5_unparse_name(talloc_tos(), context
,
73 DEBUG(1, (__location__
74 ": smb_krb5_unparse_name failed "
75 "(%s)\n", error_message(ret
)));
79 #ifdef HAVE_KRB5_KT_COMPARE
80 name_ok
= krb5_kt_compare(context
, &kt_entry
,
83 name_ok
= (strcmp(ktprinc
, princ_s
) == 0);
87 DEBUG(10, (__location__
": ignoring keytab "
88 "entry principal %s, kvno = %d\n",
89 ktprinc
, kt_entry
.vno
));
92 * just free this entry and continue. */
93 ret
= smb_krb5_kt_free_entry(context
,
95 ZERO_STRUCT(kt_entry
);
97 DEBUG(1, (__location__
98 ": smb_krb5_kt_free_entry "
100 error_message(ret
)));
104 TALLOC_FREE(ktprinc
);
108 TALLOC_FREE(ktprinc
);
111 /*------------------------------------------------------------
112 * Save the entries with kvno - 1. This is what microsoft does
113 * to allow people with existing sessions that have kvno - 1
114 * to still work. Otherwise, when the password for the machine
115 * changes, all kerberizied sessions will 'break' until either
116 * the client reboots or the client's session key expires and
117 * they get a new session ticket with the new kvno.
120 if (!flush
&& (kt_entry
.vno
== kvno
- 1)) {
121 DEBUG(5, (__location__
": Saving previous (kvno %d) "
122 "entry for principal: %s.\n",
127 if (keep_old_entries
) {
128 DEBUG(5, (__location__
": Saving old (kvno %d) "
129 "entry for principal: %s.\n",
134 DEBUG(5, (__location__
": Found old entry for principal: %s "
135 "(kvno %d) - trying to remove it.\n",
136 princ_s
, kt_entry
.vno
));
138 ret
= krb5_kt_end_seq_get(context
, keytab
, &cursor
);
141 DEBUG(1, (__location__
": krb5_kt_end_seq_get() "
142 "failed (%s)\n", error_message(ret
)));
145 ret
= krb5_kt_remove_entry(context
, keytab
, &kt_entry
);
147 DEBUG(1, (__location__
": krb5_kt_remove_entry() "
148 "failed (%s)\n", error_message(ret
)));
152 DEBUG(5, (__location__
": removed old entry for principal: "
153 "%s (kvno %d).\n", princ_s
, kt_entry
.vno
));
155 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
157 DEBUG(1, (__location__
": krb5_kt_start_seq() failed "
158 "(%s)\n", error_message(ret
)));
161 ret
= smb_krb5_kt_free_entry(context
, &kt_entry
);
162 ZERO_STRUCT(kt_entry
);
164 DEBUG(1, (__location__
": krb5_kt_remove_entry() "
165 "failed (%s)\n", error_message(ret
)));
171 if (memcmp(&zero_kt_entry
, &kt_entry
, sizeof(krb5_keytab_entry
))) {
172 smb_krb5_kt_free_entry(context
, &kt_entry
);
175 if (memcmp(&cursor
, &zero_csr
, sizeof(krb5_kt_cursor
)) != 0) {
176 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
183 static int smb_krb5_kt_add_entry(krb5_context context
,
187 krb5_enctype
*enctypes
,
190 bool keep_old_entries
)
193 krb5_keytab_entry kt_entry
;
194 krb5_principal princ
= NULL
;
197 ZERO_STRUCT(kt_entry
);
199 ret
= smb_krb5_parse_name(context
, princ_s
, &princ
);
201 DEBUG(1, (__location__
": smb_krb5_parse_name(%s) "
202 "failed (%s)\n", princ_s
, error_message(ret
)));
206 /* Seek and delete old keytab entries */
207 ret
= seek_and_delete_old_entries(context
, keytab
, kvno
,
208 princ_s
, princ
, false,
214 /* If we get here, we have deleted all the old entries with kvno's
215 * not equal to the current kvno-1. */
217 /* Now add keytab entries for all encryption types */
218 for (i
= 0; enctypes
[i
]; i
++) {
221 keyp
= KRB5_KT_KEY(&kt_entry
);
223 if (create_kerberos_key_from_string(context
, princ
,
225 enctypes
[i
], no_salt
)) {
229 kt_entry
.principal
= princ
;
232 DEBUG(3, (__location__
": adding keytab entry for (%s) with "
233 "encryption type (%d) and version (%d)\n",
234 princ_s
, enctypes
[i
], kt_entry
.vno
));
235 ret
= krb5_kt_add_entry(context
, keytab
, &kt_entry
);
236 krb5_free_keyblock_contents(context
, keyp
);
237 ZERO_STRUCT(kt_entry
);
239 DEBUG(1, (__location__
": adding entry to keytab "
240 "failed (%s)\n", error_message(ret
)));
247 krb5_free_principal(context
, princ
);
255 /**********************************************************************
256 Adds a single service principal, i.e. 'host' to the system keytab
257 ***********************************************************************/
259 int ads_keytab_add_entry(ADS_STRUCT
*ads
, const char *srvPrinc
)
261 krb5_error_code ret
= 0;
262 krb5_context context
= NULL
;
263 krb5_keytab keytab
= NULL
;
266 krb5_enctype enctypes
[4] = {
269 ENCTYPE_ARCFOUR_HMAC
,
272 char *princ_s
= NULL
;
273 char *short_princ_s
= NULL
;
274 char *password_s
= NULL
;
276 TALLOC_CTX
*tmpctx
= NULL
;
280 initialize_krb5_error_table();
281 ret
= krb5_init_context(&context
);
283 DEBUG(1, (__location__
": could not krb5_init_context: %s\n",
284 error_message(ret
)));
288 ret
= smb_krb5_open_keytab(context
, NULL
, True
, &keytab
);
290 DEBUG(1, (__location__
": smb_krb5_open_keytab failed (%s)\n",
291 error_message(ret
)));
295 /* retrieve the password */
296 if (!secrets_init()) {
297 DEBUG(1, (__location__
": secrets_init failed\n"));
301 password_s
= secrets_fetch_machine_password(lp_workgroup(), NULL
, NULL
);
303 DEBUG(1, (__location__
": failed to fetch machine password\n"));
307 ZERO_STRUCT(password
);
308 password
.data
= password_s
;
309 password
.length
= strlen(password_s
);
311 /* we need the dNSHostName value here */
312 tmpctx
= talloc_init(__location__
);
314 DEBUG(0, (__location__
": talloc_init() failed!\n"));
319 my_fqdn
= ads_get_dnshostname(ads
, tmpctx
, lp_netbios_name());
321 DEBUG(0, (__location__
": unable to determine machine "
322 "account's dns name in AD!\n"));
327 machine_name
= ads_get_samaccountname(ads
, tmpctx
, lp_netbios_name());
329 DEBUG(0, (__location__
": unable to determine machine "
330 "account's short name in AD!\n"));
334 /*strip the trailing '$' */
335 machine_name
[strlen(machine_name
)-1] = '\0';
337 /* Construct our principal */
338 if (strchr_m(srvPrinc
, '@')) {
339 /* It's a fully-named principal. */
340 princ_s
= talloc_asprintf(tmpctx
, "%s", srvPrinc
);
345 } else if (srvPrinc
[strlen(srvPrinc
)-1] == '$') {
346 /* It's the machine account, as used by smbclient clients. */
347 princ_s
= talloc_asprintf(tmpctx
, "%s@%s",
348 srvPrinc
, lp_realm());
354 /* It's a normal service principal. Add the SPN now so that we
355 * can obtain credentials for it and double-check the salt value
356 * used to generate the service's keys. */
358 princ_s
= talloc_asprintf(tmpctx
, "%s/%s@%s",
359 srvPrinc
, my_fqdn
, lp_realm());
364 short_princ_s
= talloc_asprintf(tmpctx
, "%s/%s@%s",
365 srvPrinc
, machine_name
,
372 /* According to http://support.microsoft.com/kb/326985/en-us,
373 certain principal names are automatically mapped to the
374 host/... principal in the AD account.
375 So only create these in the keytab, not in AD. --jerry */
377 if (!strequal(srvPrinc
, "cifs") &&
378 !strequal(srvPrinc
, "host")) {
379 DEBUG(3, (__location__
": Attempting to add/update "
382 aderr
= ads_add_service_principal_name(ads
,
383 lp_netbios_name(), my_fqdn
, srvPrinc
);
384 if (!ADS_ERR_OK(aderr
)) {
385 DEBUG(1, (__location__
": failed to "
386 "ads_add_service_principal_name.\n"));
392 kvno
= (krb5_kvno
)ads_get_machine_kvno(ads
, lp_netbios_name());
394 /* -1 indicates failure, everything else is OK */
395 DEBUG(1, (__location__
": ads_get_machine_kvno failed to "
396 "determine the system's kvno.\n"));
401 /* add the fqdn principal to the keytab */
402 ret
= smb_krb5_kt_add_entry(context
, keytab
, kvno
,
403 princ_s
, enctypes
, password
,
406 DEBUG(1, (__location__
": Failed to add entry to keytab\n"));
410 /* add the short principal name if we have one */
412 ret
= smb_krb5_kt_add_entry(context
, keytab
, kvno
,
413 short_princ_s
, enctypes
, password
,
416 DEBUG(1, (__location__
417 ": Failed to add short entry to keytab\n"));
426 krb5_kt_close(context
, keytab
);
429 krb5_free_context(context
);
434 /**********************************************************************
435 Flushes all entries from the system keytab.
436 ***********************************************************************/
438 int ads_keytab_flush(ADS_STRUCT
*ads
)
440 krb5_error_code ret
= 0;
441 krb5_context context
= NULL
;
442 krb5_keytab keytab
= NULL
;
446 initialize_krb5_error_table();
447 ret
= krb5_init_context(&context
);
449 DEBUG(1, (__location__
": could not krb5_init_context: %s\n",
450 error_message(ret
)));
454 ret
= smb_krb5_open_keytab(context
, NULL
, True
, &keytab
);
456 DEBUG(1, (__location__
": smb_krb5_open_keytab failed (%s)\n",
457 error_message(ret
)));
461 kvno
= (krb5_kvno
)ads_get_machine_kvno(ads
, lp_netbios_name());
463 /* -1 indicates a failure */
464 DEBUG(1, (__location__
": Error determining the kvno.\n"));
468 /* Seek and delete old keytab entries */
469 ret
= seek_and_delete_old_entries(context
, keytab
, kvno
,
470 NULL
, NULL
, true, false);
475 aderr
= ads_clear_service_principal_names(ads
, lp_netbios_name());
476 if (!ADS_ERR_OK(aderr
)) {
477 DEBUG(1, (__location__
": Error while clearing service "
478 "principal listings in LDAP.\n"));
484 krb5_kt_close(context
, keytab
);
487 krb5_free_context(context
);
492 /**********************************************************************
493 Adds all the required service principals to the system keytab.
494 ***********************************************************************/
496 int ads_keytab_create_default(ADS_STRUCT
*ads
)
498 krb5_error_code ret
= 0;
499 krb5_context context
= NULL
;
500 krb5_keytab keytab
= NULL
;
501 krb5_kt_cursor cursor
;
502 krb5_keytab_entry kt_entry
;
505 char *sam_account_name
, *upn
;
506 char **oldEntries
= NULL
, *princ_s
[26];
507 TALLOC_CTX
*tmpctx
= NULL
;
510 /* these are the main ones we need */
511 ret
= ads_keytab_add_entry(ads
, "host");
513 DEBUG(1, (__location__
": ads_keytab_add_entry failed while "
514 "adding 'host' principal.\n"));
519 #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
520 really needs them and we will fall back to verifying against
523 ret
= ads_keytab_add_entry(ads
, "cifs"));
525 DEBUG(1, (__location__
": ads_keytab_add_entry failed while "
526 "adding 'cifs'.\n"));
531 memset(princ_s
, '\0', sizeof(princ_s
));
532 ZERO_STRUCT(kt_entry
);
535 initialize_krb5_error_table();
536 ret
= krb5_init_context(&context
);
538 DEBUG(1, (__location__
": could not krb5_init_context: %s\n",
539 error_message(ret
)));
543 tmpctx
= talloc_init(__location__
);
545 DEBUG(0, (__location__
": talloc_init() failed!\n"));
550 machine_name
= talloc_strdup(tmpctx
, lp_netbios_name());
556 /* now add the userPrincipalName and sAMAccountName entries */
557 sam_account_name
= ads_get_samaccountname(ads
, tmpctx
, machine_name
);
558 if (!sam_account_name
) {
559 DEBUG(0, (__location__
": unable to determine machine "
560 "account's name in AD!\n"));
565 /* upper case the sAMAccountName to make it easier for apps to
566 know what case to use in the keytab file */
567 if (!strupper_m(sam_account_name
)) {
572 ret
= ads_keytab_add_entry(ads
, sam_account_name
);
574 DEBUG(1, (__location__
": ads_keytab_add_entry() failed "
575 "while adding sAMAccountName (%s)\n",
580 /* remember that not every machine account will have a upn */
581 upn
= ads_get_upn(ads
, tmpctx
, machine_name
);
583 ret
= ads_keytab_add_entry(ads
, upn
);
585 DEBUG(1, (__location__
": ads_keytab_add_entry() "
586 "failed while adding UPN (%s)\n", upn
));
591 /* Now loop through the keytab and update any other existing entries */
592 kvno
= (krb5_kvno
)ads_get_machine_kvno(ads
, machine_name
);
594 DEBUG(1, (__location__
": ads_get_machine_kvno() failed to "
595 "determine the system's kvno.\n"));
599 DEBUG(3, (__location__
": Searching for keytab entries to preserve "
602 ret
= smb_krb5_open_keytab(context
, NULL
, True
, &keytab
);
604 DEBUG(1, (__location__
": smb_krb5_open_keytab failed (%s)\n",
605 error_message(ret
)));
609 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
610 if (ret
!= KRB5_KT_END
&& ret
!= ENOENT
) {
611 while ((ret
= krb5_kt_next_entry(context
, keytab
,
612 &kt_entry
, &cursor
)) == 0) {
613 smb_krb5_kt_free_entry(context
, &kt_entry
);
614 ZERO_STRUCT(kt_entry
);
618 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
622 * Hmmm. There is no "rewind" function for the keytab. This means we
623 * have a race condition where someone else could add entries after
624 * we've counted them. Re-open asap to minimise the race. JRA.
626 DEBUG(3, (__location__
": Found %d entries in the keytab.\n", found
));
631 oldEntries
= talloc_array(tmpctx
, char *, found
);
633 DEBUG(1, (__location__
": Failed to allocate space to store "
634 "the old keytab entries (talloc failed?).\n"));
638 memset(oldEntries
, '\0', found
* sizeof(char *));
640 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
641 if (ret
== KRB5_KT_END
|| ret
== ENOENT
) {
642 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
647 while (krb5_kt_next_entry(context
, keytab
, &kt_entry
, &cursor
) == 0) {
648 if (kt_entry
.vno
!= kvno
) {
649 char *ktprinc
= NULL
;
652 /* This returns a malloc'ed string in ktprinc. */
653 ret
= smb_krb5_unparse_name(oldEntries
, context
,
657 DEBUG(1, (__location__
658 ": smb_krb5_unparse_name failed "
659 "(%s)\n", error_message(ret
)));
663 * From looking at the krb5 source they don't seem to
664 * take locale or mb strings into account.
665 * Maybe this is because they assume utf8 ?
666 * In this case we may need to convert from utf8 to
667 * mb charset here ? JRA.
669 p
= strchr_m(ktprinc
, '@');
674 p
= strchr_m(ktprinc
, '/');
678 for (i
= 0; i
< found
; i
++) {
679 if (!oldEntries
[i
]) {
680 oldEntries
[i
] = ktprinc
;
683 if (!strcmp(oldEntries
[i
], ktprinc
)) {
684 TALLOC_FREE(ktprinc
);
689 TALLOC_FREE(ktprinc
);
692 smb_krb5_kt_free_entry(context
, &kt_entry
);
693 ZERO_STRUCT(kt_entry
);
696 for (i
= 0; oldEntries
[i
]; i
++) {
697 ret
|= ads_keytab_add_entry(ads
, oldEntries
[i
]);
698 TALLOC_FREE(oldEntries
[i
]);
700 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
704 TALLOC_FREE(oldEntries
);
708 krb5_keytab_entry zero_kt_entry
;
709 ZERO_STRUCT(zero_kt_entry
);
710 if (memcmp(&zero_kt_entry
, &kt_entry
,
711 sizeof(krb5_keytab_entry
))) {
712 smb_krb5_kt_free_entry(context
, &kt_entry
);
716 krb5_kt_cursor zero_csr
;
717 ZERO_STRUCT(zero_csr
);
718 if ((memcmp(&cursor
, &zero_csr
,
719 sizeof(krb5_kt_cursor
)) != 0) && keytab
) {
720 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
724 krb5_kt_close(context
, keytab
);
727 krb5_free_context(context
);
732 #endif /* HAVE_ADS */
734 /**********************************************************************
736 ***********************************************************************/
738 int ads_keytab_list(const char *keytab_name
)
740 krb5_error_code ret
= 0;
741 krb5_context context
= NULL
;
742 krb5_keytab keytab
= NULL
;
743 krb5_kt_cursor cursor
;
744 krb5_keytab_entry kt_entry
;
746 ZERO_STRUCT(kt_entry
);
749 initialize_krb5_error_table();
750 ret
= krb5_init_context(&context
);
752 DEBUG(1, (__location__
": could not krb5_init_context: %s\n",
753 error_message(ret
)));
757 ret
= smb_krb5_open_keytab(context
, keytab_name
, False
, &keytab
);
759 DEBUG(1, (__location__
": smb_krb5_open_keytab failed (%s)\n",
760 error_message(ret
)));
764 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
770 printf("Vno Type Principal\n");
772 while (krb5_kt_next_entry(context
, keytab
, &kt_entry
, &cursor
) == 0) {
774 char *princ_s
= NULL
;
775 char *etype_s
= NULL
;
776 krb5_enctype enctype
= 0;
778 ret
= smb_krb5_unparse_name(talloc_tos(), context
,
779 kt_entry
.principal
, &princ_s
);
784 enctype
= smb_get_enctype_from_kt_entry(&kt_entry
);
786 ret
= smb_krb5_enctype_to_string(context
, enctype
, &etype_s
);
788 (asprintf(&etype_s
, "UNKNOWN: %d\n", enctype
) == -1)) {
789 TALLOC_FREE(princ_s
);
793 printf("%3d %-43s %s\n", kt_entry
.vno
, etype_s
, princ_s
);
795 TALLOC_FREE(princ_s
);
798 ret
= smb_krb5_kt_free_entry(context
, &kt_entry
);
804 ret
= krb5_kt_end_seq_get(context
, keytab
, &cursor
);
809 /* Ensure we don't double free. */
810 ZERO_STRUCT(kt_entry
);
815 krb5_keytab_entry zero_kt_entry
;
816 ZERO_STRUCT(zero_kt_entry
);
817 if (memcmp(&zero_kt_entry
, &kt_entry
,
818 sizeof(krb5_keytab_entry
))) {
819 smb_krb5_kt_free_entry(context
, &kt_entry
);
823 krb5_kt_cursor zero_csr
;
824 ZERO_STRUCT(zero_csr
);
825 if ((memcmp(&cursor
, &zero_csr
,
826 sizeof(krb5_kt_cursor
)) != 0) && keytab
) {
827 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
832 krb5_kt_close(context
, keytab
);
835 krb5_free_context(context
);
840 #endif /* HAVE_KRB5 */