2
Unix SMB/CIFS implementation.
3
kerberos keytab utility library
4
Copyright (C) Andrew Tridgell 2001
5
Copyright (C) Remus Koos 2001
6
Copyright (C) Luke Howard 2003
7
Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8
Copyright (C) Guenther Deschner 2003
9
Copyright (C) Rakesh Patel 2004
10
Copyright (C) Dan Perry 2004
11
Copyright (C) Jeremy Allison 2004
12
Copyright (C) Gerald Carter 2006
14
This program is free software; you can redistribute it and/or modify
15
it under the terms of the GNU General Public License as published by
16
the Free Software Foundation; either version 3 of the License, or
17
(at your option) any later version.
19
This program is distributed in the hope that it will be useful,
20
but WITHOUT ANY WARRANTY; without even the implied warranty of
21
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22
GNU General Public License for more details.
24
You should have received a copy of the GNU General Public License
25
along with this program. If not, see <http://www.gnu.org/licenses/>.
33
/**********************************************************************
34
**********************************************************************/
36
int smb_krb5_kt_add_entry_ext(krb5_context context,
40
krb5_enctype *enctypes,
43
bool keep_old_entries)
45
krb5_error_code ret = 0;
46
krb5_kt_cursor cursor;
47
krb5_keytab_entry kt_entry;
48
krb5_principal princ = NULL;
52
ZERO_STRUCT(kt_entry);
55
ret = smb_krb5_parse_name(context, princ_s, &princ);
57
DEBUG(1,("smb_krb5_kt_add_entry_ext: smb_krb5_parse_name(%s) failed (%s)\n", princ_s, error_message(ret)));
61
/* Seek and delete old keytab entries */
62
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
63
if (ret != KRB5_KT_END && ret != ENOENT ) {
64
DEBUG(3,("smb_krb5_kt_add_entry_ext: Will try to delete old keytab entries\n"));
65
while(!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
66
bool compare_name_ok = False;
68
ret = smb_krb5_unparse_name(talloc_tos(), context, kt_entry.principal, &ktprinc);
70
DEBUG(1,("smb_krb5_kt_add_entry_ext: smb_krb5_unparse_name failed (%s)\n",
75
/*---------------------------------------------------------------------------
76
* Save the entries with kvno - 1. This is what microsoft does
77
* to allow people with existing sessions that have kvno - 1 to still
78
* work. Otherwise, when the password for the machine changes, all
79
* kerberizied sessions will 'break' until either the client reboots or
80
* the client's session key expires and they get a new session ticket
84
#ifdef HAVE_KRB5_KT_COMPARE
85
compare_name_ok = (krb5_kt_compare(context, &kt_entry, princ, 0, 0) == True);
87
compare_name_ok = (strcmp(ktprinc, princ_s) == 0);
90
if (!compare_name_ok) {
91
DEBUG(10,("smb_krb5_kt_add_entry_ext: ignoring keytab entry principal %s, kvno = %d\n",
92
ktprinc, kt_entry.vno));
97
if (compare_name_ok) {
98
if (kt_entry.vno == kvno - 1) {
99
DEBUG(5,("smb_krb5_kt_add_entry_ext: Saving previous (kvno %d) entry for principal: %s.\n",
101
} else if (!keep_old_entries) {
102
DEBUG(5,("smb_krb5_kt_add_entry_ext: Found old entry for principal: %s (kvno %d) - trying to remove it.\n",
103
princ_s, kt_entry.vno));
104
ret = krb5_kt_end_seq_get(context, keytab, &cursor);
107
DEBUG(1,("smb_krb5_kt_add_entry_ext: krb5_kt_end_seq_get() failed (%s)\n",
108
error_message(ret)));
111
ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
113
DEBUG(1,("smb_krb5_kt_add_entry_ext: krb5_kt_remove_entry failed (%s)\n",
114
error_message(ret)));
118
DEBUG(5,("smb_krb5_kt_add_entry_ext: removed old entry for principal: %s (kvno %d).\n",
119
princ_s, kt_entry.vno));
121
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
123
DEBUG(1,("smb_krb5_kt_add_entry_ext: krb5_kt_start_seq failed (%s)\n",
124
error_message(ret)));
127
ret = smb_krb5_kt_free_entry(context, &kt_entry);
128
ZERO_STRUCT(kt_entry);
130
DEBUG(1,("smb_krb5_kt_add_entry_ext: krb5_kt_remove_entry failed (%s)\n",
131
error_message(ret)));
138
/* Not a match, just free this entry and continue. */
139
ret = smb_krb5_kt_free_entry(context, &kt_entry);
140
ZERO_STRUCT(kt_entry);
142
DEBUG(1,("smb_krb5_kt_add_entry_ext: smb_krb5_kt_free_entry failed (%s)\n", error_message(ret)));
147
ret = krb5_kt_end_seq_get(context, keytab, &cursor);
150
DEBUG(1,("smb_krb5_kt_add_entry_ext: krb5_kt_end_seq_get failed (%s)\n",error_message(ret)));
155
/* Ensure we don't double free. */
156
ZERO_STRUCT(kt_entry);
159
/* If we get here, we have deleted all the old entries with kvno's not equal to the current kvno-1. */
161
/* Now add keytab entries for all encryption types */
162
for (i = 0; enctypes[i]; i++) {
165
keyp = KRB5_KT_KEY(&kt_entry);
167
if (create_kerberos_key_from_string(context, princ, &password, keyp, enctypes[i], no_salt)) {
171
kt_entry.principal = princ;
174
DEBUG(3,("smb_krb5_kt_add_entry_ext: adding keytab entry for (%s) with encryption type (%d) and version (%d)\n",
175
princ_s, enctypes[i], kt_entry.vno));
176
ret = krb5_kt_add_entry(context, keytab, &kt_entry);
177
krb5_free_keyblock_contents(context, keyp);
178
ZERO_STRUCT(kt_entry);
180
DEBUG(1,("smb_krb5_kt_add_entry_ext: adding entry to keytab failed (%s)\n", error_message(ret)));
188
krb5_keytab_entry zero_kt_entry;
189
ZERO_STRUCT(zero_kt_entry);
190
if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
191
smb_krb5_kt_free_entry(context, &kt_entry);
195
krb5_free_principal(context, princ);
199
krb5_kt_cursor zero_csr;
200
ZERO_STRUCT(zero_csr);
201
if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
202
krb5_kt_end_seq_get(context, keytab, &cursor);
209
static int smb_krb5_kt_add_entry(krb5_context context,
213
krb5_enctype *enctypes,
216
return smb_krb5_kt_add_entry_ext(context,
226
/**********************************************************************
227
Adds a single service principal, i.e. 'host' to the system keytab
228
***********************************************************************/
230
int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
232
krb5_error_code ret = 0;
233
krb5_context context = NULL;
234
krb5_keytab keytab = NULL;
237
krb5_enctype enctypes[4] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, 0, 0 };
238
char *princ_s = NULL, *short_princ_s = NULL;
239
char *password_s = NULL;
241
TALLOC_CTX *ctx = NULL;
244
#if defined(ENCTYPE_ARCFOUR_HMAC)
245
enctypes[2] = ENCTYPE_ARCFOUR_HMAC;
248
initialize_krb5_error_table();
249
ret = krb5_init_context(&context);
251
DEBUG(1,("ads_keytab_add_entry: could not krb5_init_context: %s\n",error_message(ret)));
255
ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
257
DEBUG(1,("ads_keytab_add_entry: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
261
/* retrieve the password */
262
if (!secrets_init()) {
263
DEBUG(1,("ads_keytab_add_entry: secrets_init failed\n"));
267
password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
269
DEBUG(1,("ads_keytab_add_entry: failed to fetch machine password\n"));
273
ZERO_STRUCT(password);
274
password.data = password_s;
275
password.length = strlen(password_s);
277
/* we need the dNSHostName value here */
279
if ( (ctx = talloc_init("ads_keytab_add_entry")) == NULL ) {
280
DEBUG(0,("ads_keytab_add_entry: talloc() failed!\n"));
285
if ( (my_fqdn = ads_get_dnshostname( ads, ctx, global_myname())) == NULL ) {
286
DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's dns name in AD!\n"));
291
if ( (machine_name = ads_get_samaccountname( ads, ctx, global_myname())) == NULL ) {
292
DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's short name in AD!\n"));
296
/*strip the trailing '$' */
297
machine_name[strlen(machine_name)-1] = '\0';
299
/* Construct our principal */
301
if (strchr_m(srvPrinc, '@')) {
302
/* It's a fully-named principal. */
303
if (asprintf(&princ_s, "%s", srvPrinc) == -1) {
307
} else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
308
/* It's the machine account, as used by smbclient clients. */
309
if (asprintf(&princ_s, "%s@%s", srvPrinc, lp_realm()) == -1) {
314
/* It's a normal service principal. Add the SPN now so that we
315
* can obtain credentials for it and double-check the salt value
316
* used to generate the service's keys. */
318
if (asprintf(&princ_s, "%s/%s@%s", srvPrinc, my_fqdn, lp_realm()) == -1) {
322
if (asprintf(&short_princ_s, "%s/%s@%s", srvPrinc, machine_name, lp_realm()) == -1) {
327
/* According to http://support.microsoft.com/kb/326985/en-us,
328
certain principal names are automatically mapped to the host/...
329
principal in the AD account. So only create these in the
330
keytab, not in AD. --jerry */
332
if ( !strequal( srvPrinc, "cifs" ) && !strequal(srvPrinc, "host" ) ) {
333
DEBUG(3,("ads_keytab_add_entry: Attempting to add/update '%s'\n", princ_s));
335
if (!ADS_ERR_OK(ads_add_service_principal_name(ads, global_myname(), my_fqdn, srvPrinc))) {
336
DEBUG(1,("ads_keytab_add_entry: ads_add_service_principal_name failed.\n"));
342
kvno = (krb5_kvno) ads_get_machine_kvno(ads, global_myname());
343
if (kvno == -1) { /* -1 indicates failure, everything else is OK */
344
DEBUG(1,("ads_keytab_add_entry: ads_get_machine_kvno failed to determine the system's kvno.\n"));
349
/* add the fqdn principal to the keytab */
351
ret = smb_krb5_kt_add_entry( context, keytab, kvno, princ_s, enctypes, password );
353
DEBUG(1,("ads_keytab_add_entry: Failed to add entry to keytab file\n"));
357
/* add the short principal name if we have one */
359
if ( short_princ_s ) {
360
ret = smb_krb5_kt_add_entry( context, keytab, kvno, short_princ_s, enctypes, password );
362
DEBUG(1,("ads_keytab_add_entry: Failed to add short entry to keytab file\n"));
368
SAFE_FREE( princ_s );
369
SAFE_FREE( short_princ_s );
373
krb5_kt_close(context, keytab);
376
krb5_free_context(context);
381
/**********************************************************************
382
Flushes all entries from the system keytab.
383
***********************************************************************/
385
int ads_keytab_flush(ADS_STRUCT *ads)
387
krb5_error_code ret = 0;
388
krb5_context context = NULL;
389
krb5_keytab keytab = NULL;
390
krb5_kt_cursor cursor;
391
krb5_keytab_entry kt_entry;
394
ZERO_STRUCT(kt_entry);
397
initialize_krb5_error_table();
398
ret = krb5_init_context(&context);
400
DEBUG(1,("ads_keytab_flush: could not krb5_init_context: %s\n",error_message(ret)));
404
ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
406
DEBUG(1,("ads_keytab_flush: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
410
kvno = (krb5_kvno) ads_get_machine_kvno(ads, global_myname());
411
if (kvno == -1) { /* -1 indicates a failure */
412
DEBUG(1,("ads_keytab_flush: Error determining the system's kvno.\n"));
416
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
417
if (ret != KRB5_KT_END && ret != ENOENT) {
418
while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
419
ret = krb5_kt_end_seq_get(context, keytab, &cursor);
422
DEBUG(1,("ads_keytab_flush: krb5_kt_end_seq_get() failed (%s)\n",error_message(ret)));
425
ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
427
DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
430
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
432
DEBUG(1,("ads_keytab_flush: krb5_kt_start_seq failed (%s)\n",error_message(ret)));
435
ret = smb_krb5_kt_free_entry(context, &kt_entry);
436
ZERO_STRUCT(kt_entry);
438
DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
444
/* Ensure we don't double free. */
445
ZERO_STRUCT(kt_entry);
448
if (!ADS_ERR_OK(ads_clear_service_principal_names(ads, global_myname()))) {
449
DEBUG(1,("ads_keytab_flush: Error while clearing service principal listings in LDAP.\n"));
456
krb5_keytab_entry zero_kt_entry;
457
ZERO_STRUCT(zero_kt_entry);
458
if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
459
smb_krb5_kt_free_entry(context, &kt_entry);
463
krb5_kt_cursor zero_csr;
464
ZERO_STRUCT(zero_csr);
465
if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
466
krb5_kt_end_seq_get(context, keytab, &cursor);
470
krb5_kt_close(context, keytab);
473
krb5_free_context(context);
478
/**********************************************************************
479
Adds all the required service principals to the system keytab.
480
***********************************************************************/
482
int ads_keytab_create_default(ADS_STRUCT *ads)
484
krb5_error_code ret = 0;
485
krb5_context context = NULL;
486
krb5_keytab keytab = NULL;
487
krb5_kt_cursor cursor;
488
krb5_keytab_entry kt_entry;
491
char *sam_account_name, *upn;
492
char **oldEntries = NULL, *princ_s[26];
493
TALLOC_CTX *ctx = NULL;
494
fstring machine_name;
496
memset(princ_s, '\0', sizeof(princ_s));
498
fstrcpy( machine_name, global_myname() );
500
/* these are the main ones we need */
502
if ( (ret = ads_keytab_add_entry(ads, "host") ) != 0 ) {
503
DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.\n"));
508
#if 0 /* don't create the CIFS/... keytab entries since no one except smbd
509
really needs them and we will fall back to verifying against secrets.tdb */
511
if ( (ret = ads_keytab_add_entry(ads, "cifs")) != 0 ) {
512
DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'cifs'.\n"));
517
if ( (ctx = talloc_init("ads_keytab_create_default")) == NULL ) {
518
DEBUG(0,("ads_keytab_create_default: talloc() failed!\n"));
522
/* now add the userPrincipalName and sAMAccountName entries */
524
if ( (sam_account_name = ads_get_samaccountname( ads, ctx, machine_name)) == NULL ) {
525
DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's name in AD!\n"));
530
/* upper case the sAMAccountName to make it easier for apps to
531
know what case to use in the keytab file */
533
strupper_m( sam_account_name );
535
if ( (ret = ads_keytab_add_entry(ads, sam_account_name )) != 0 ) {
536
DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding sAMAccountName (%s)\n",
541
/* remember that not every machine account will have a upn */
543
upn = ads_get_upn( ads, ctx, machine_name);
545
if ( (ret = ads_keytab_add_entry(ads, upn)) != 0 ) {
546
DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding UPN (%s)\n",
553
/* Now loop through the keytab and update any other existing entries... */
555
kvno = (krb5_kvno) ads_get_machine_kvno(ads, machine_name);
557
DEBUG(1,("ads_keytab_create_default: ads_get_machine_kvno failed to determine the system's kvno.\n"));
562
DEBUG(3,("ads_keytab_create_default: Searching for keytab entries to "
563
"preserve and update.\n"));
565
ZERO_STRUCT(kt_entry);
568
initialize_krb5_error_table();
569
ret = krb5_init_context(&context);
571
DEBUG(1,("ads_keytab_create_default: could not krb5_init_context: %s\n",error_message(ret)));
576
ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
578
DEBUG(1,("ads_keytab_create_default: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
582
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
583
if (ret != KRB5_KT_END && ret != ENOENT ) {
584
while ((ret = krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) == 0) {
585
smb_krb5_kt_free_entry(context, &kt_entry);
586
ZERO_STRUCT(kt_entry);
590
krb5_kt_end_seq_get(context, keytab, &cursor);
594
* Hmmm. There is no "rewind" function for the keytab. This means we have a race condition
595
* where someone else could add entries after we've counted them. Re-open asap to minimise
599
DEBUG(3, ("ads_keytab_create_default: Found %d entries in the keytab.\n", found));
603
oldEntries = talloc_array(ctx, char *, found );
605
DEBUG(1,("ads_keytab_create_default: Failed to allocate space to store the old keytab entries (malloc failed?).\n"));
609
memset(oldEntries, '\0', found * sizeof(char *));
611
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
612
if (ret != KRB5_KT_END && ret != ENOENT ) {
613
while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
614
if (kt_entry.vno != kvno) {
615
char *ktprinc = NULL;
618
/* This returns a malloc'ed string in ktprinc. */
619
ret = smb_krb5_unparse_name(oldEntries, context, kt_entry.principal, &ktprinc);
621
DEBUG(1,("smb_krb5_unparse_name failed (%s)\n", error_message(ret)));
625
* From looking at the krb5 source they don't seem to take locale
626
* or mb strings into account. Maybe this is because they assume utf8 ?
627
* In this case we may need to convert from utf8 to mb charset here ? JRA.
629
p = strchr_m(ktprinc, '@');
634
p = strchr_m(ktprinc, '/');
638
for (i = 0; i < found; i++) {
639
if (!oldEntries[i]) {
640
oldEntries[i] = ktprinc;
643
if (!strcmp(oldEntries[i], ktprinc)) {
644
TALLOC_FREE(ktprinc);
649
TALLOC_FREE(ktprinc);
652
smb_krb5_kt_free_entry(context, &kt_entry);
653
ZERO_STRUCT(kt_entry);
656
for (i = 0; oldEntries[i]; i++) {
657
ret |= ads_keytab_add_entry(ads, oldEntries[i]);
658
TALLOC_FREE(oldEntries[i]);
660
krb5_kt_end_seq_get(context, keytab, &cursor);
666
TALLOC_FREE(oldEntries);
670
krb5_keytab_entry zero_kt_entry;
671
ZERO_STRUCT(zero_kt_entry);
672
if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
673
smb_krb5_kt_free_entry(context, &kt_entry);
677
krb5_kt_cursor zero_csr;
678
ZERO_STRUCT(zero_csr);
679
if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
680
krb5_kt_end_seq_get(context, keytab, &cursor);
684
krb5_kt_close(context, keytab);
687
krb5_free_context(context);
692
/**********************************************************************
694
***********************************************************************/
696
int ads_keytab_list(const char *keytab_name)
698
krb5_error_code ret = 0;
699
krb5_context context = NULL;
700
krb5_keytab keytab = NULL;
701
krb5_kt_cursor cursor;
702
krb5_keytab_entry kt_entry;
704
ZERO_STRUCT(kt_entry);
707
initialize_krb5_error_table();
708
ret = krb5_init_context(&context);
710
DEBUG(1,("ads_keytab_list: could not krb5_init_context: %s\n",error_message(ret)));
714
ret = smb_krb5_open_keytab(context, keytab_name, False, &keytab);
716
DEBUG(1,("ads_keytab_list: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
720
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
725
printf("Vno Type Principal\n");
727
while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
729
char *princ_s = NULL;
730
char *etype_s = NULL;
731
krb5_enctype enctype = 0;
733
ret = smb_krb5_unparse_name(talloc_tos(), context, kt_entry.principal, &princ_s);
738
enctype = smb_get_enctype_from_kt_entry(&kt_entry);
740
ret = smb_krb5_enctype_to_string(context, enctype, &etype_s);
742
if (asprintf(&etype_s, "UNKNOWN: %d\n", enctype) == -1)
744
TALLOC_FREE(princ_s);
749
printf("%3d %s\t\t %s\n", kt_entry.vno, etype_s, princ_s);
751
TALLOC_FREE(princ_s);
754
ret = smb_krb5_kt_free_entry(context, &kt_entry);
760
ret = krb5_kt_end_seq_get(context, keytab, &cursor);
765
/* Ensure we don't double free. */
766
ZERO_STRUCT(kt_entry);
771
krb5_keytab_entry zero_kt_entry;
772
ZERO_STRUCT(zero_kt_entry);
773
if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
774
smb_krb5_kt_free_entry(context, &kt_entry);
778
krb5_kt_cursor zero_csr;
779
ZERO_STRUCT(zero_csr);
780
if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
781
krb5_kt_end_seq_get(context, keytab, &cursor);
786
krb5_kt_close(context, keytab);
789
krb5_free_context(context);
794
#endif /* HAVE_KRB5 */