Context Navigation

source: trunk-3.0/source/libads/kerberos_keytab.c@ 103

Visit:

Last change on this file since 103 was 22, checked in by Yuri Dario, 19 years ago
Source code upgrade to 3.0.25pre2.
File size: 21.2 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	kerberos keytab utility library
4	Copyright (C) Andrew Tridgell 2001
5	Copyright (C) Remus Koos 2001
6	Copyright (C) Luke Howard 2003
7	Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8	Copyright (C) Guenther Deschner 2003
9	Copyright (C) Rakesh Patel 2004
10	Copyright (C) Dan Perry 2004
11	Copyright (C) Jeremy Allison 2004
12	Copyright (C) Gerald Carter 2006
13
14	This program is free software; you can redistribute it and/or modify
15	it under the terms of the GNU General Public License as published by
16	the Free Software Foundation; either version 2 of the License, or
17	(at your option) any later version.
18
19	This program is distributed in the hope that it will be useful,
20	but WITHOUT ANY WARRANTY; without even the implied warranty of
21	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22	GNU General Public License for more details.
23
24	You should have received a copy of the GNU General Public License
25	along with this program; if not, write to the Free Software
26	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27	*/
28
29	#include "includes.h"
30
31	#ifdef HAVE_KRB5
32
33	/* This MAX_NAME_LEN is a constant defined in krb5.h */
34	#ifndef MAX_KEYTAB_NAME_LEN
35	#define MAX_KEYTAB_NAME_LEN 1100
36	#endif
37
38
39	/**********************************************************************
40	**********************************************************************/
41
42	static int smb_krb5_kt_add_entry( krb5_context context, krb5_keytab keytab,
43	krb5_kvno kvno, const char *princ_s,
44	krb5_enctype *enctypes, krb5_data password )
45	{
46	krb5_error_code ret = 0;
47	krb5_kt_cursor cursor;
48	krb5_keytab_entry kt_entry;
49	krb5_principal princ = NULL;
50	int i;
51	char *ktprinc = NULL;
52
53	ZERO_STRUCT(kt_entry);
54	ZERO_STRUCT(cursor);
55
56	ret = smb_krb5_parse_name(context, princ_s, &princ);
57	if (ret) {
58	DEBUG(1,("smb_krb5_kt_add_entry: smb_krb5_parse_name(%s) failed (%s)\n", princ_s, error_message(ret)));
59	goto out;
60	}
61
62	/* Seek and delete old keytab entries */
63	ret = krb5_kt_start_seq_get(context, keytab, &cursor);
64	if (ret != KRB5_KT_END && ret != ENOENT ) {
65	DEBUG(3,("smb_krb5_kt_add_entry: Will try to delete old keytab entries\n"));
66	while(!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
67	BOOL compare_name_ok = False;
68
69	ret = smb_krb5_unparse_name(context, kt_entry.principal, &ktprinc);
70	if (ret) {
71	DEBUG(1,("smb_krb5_kt_add_entry: smb_krb5_unparse_name failed (%s)\n",
72	error_message(ret)));
73	goto out;
74	}
75
76	/*---------------------------------------------------------------------------
77	* Save the entries with kvno - 1. This is what microsoft does
78	* to allow people with existing sessions that have kvno - 1 to still
79	* work. Otherwise, when the password for the machine changes, all
80	* kerberizied sessions will 'break' until either the client reboots or
81	* the client's session key expires and they get a new session ticket
82	* with the new kvno.
83	*/
84
85	#ifdef HAVE_KRB5_KT_COMPARE
86	compare_name_ok = (krb5_kt_compare(context, &kt_entry, princ, 0, 0) == True);
87	#else
88	compare_name_ok = (strcmp(ktprinc, princ_s) == 0);
89	#endif
90
91	if (!compare_name_ok) {
92	DEBUG(10,("smb_krb5_kt_add_entry: ignoring keytab entry principal %s, kvno = %d\n",
93	ktprinc, kt_entry.vno));
94	}
95
96	SAFE_FREE(ktprinc);
97
98	if (compare_name_ok) {
99	if (kt_entry.vno == kvno - 1) {
100	DEBUG(5,("smb_krb5_kt_add_entry: Saving previous (kvno %d) entry for principal: %s.\n",
101	kvno - 1, princ_s));
102	} else {
103
104	DEBUG(5,("smb_krb5_kt_add_entry: Found old entry for principal: %s (kvno %d) - trying to remove it.\n",
105	princ_s, kt_entry.vno));
106	ret = krb5_kt_end_seq_get(context, keytab, &cursor);
107	ZERO_STRUCT(cursor);
108	if (ret) {
109	DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_end_seq_get() failed (%s)\n",
110	error_message(ret)));
111	goto out;
112	}
113	ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
114	if (ret) {
115	DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_remove_entry failed (%s)\n",
116	error_message(ret)));
117	goto out;
118	}
119
120	DEBUG(5,("smb_krb5_kt_add_entry: removed old entry for principal: %s (kvno %d).\n",
121	princ_s, kt_entry.vno));
122
123	ret = krb5_kt_start_seq_get(context, keytab, &cursor);
124	if (ret) {
125	DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_start_seq failed (%s)\n",
126	error_message(ret)));
127	goto out;
128	}
129	ret = smb_krb5_kt_free_entry(context, &kt_entry);
130	ZERO_STRUCT(kt_entry);
131	if (ret) {
132	DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_remove_entry failed (%s)\n",
133	error_message(ret)));
134	goto out;
135	}
136	continue;
137	}
138	}
139
140	/* Not a match, just free this entry and continue. */
141	ret = smb_krb5_kt_free_entry(context, &kt_entry);
142	ZERO_STRUCT(kt_entry);
143	if (ret) {
144	DEBUG(1,("smb_krb5_kt_add_entry: smb_krb5_kt_free_entry failed (%s)\n", error_message(ret)));
145	goto out;
146	}
147	}
148
149	ret = krb5_kt_end_seq_get(context, keytab, &cursor);
150	ZERO_STRUCT(cursor);
151	if (ret) {
152	DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_end_seq_get failed (%s)\n",error_message(ret)));
153	goto out;
154	}
155	}
156
157	/* Ensure we don't double free. */
158	ZERO_STRUCT(kt_entry);
159	ZERO_STRUCT(cursor);
160
161	/* If we get here, we have deleted all the old entries with kvno's not equal to the current kvno-1. */
162
163	/* Now add keytab entries for all encryption types */
164	for (i = 0; enctypes[i]; i++) {
165	krb5_keyblock *keyp;
166
167	#if !defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) && !defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK)
168	#error krb5_keytab_entry has no key or keyblock member
169	#endif
170	#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
171	keyp = &kt_entry.key;
172	#endif
173	#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
174	keyp = &kt_entry.keyblock;
175	#endif
176	if (create_kerberos_key_from_string(context, princ, &password, keyp, enctypes[i])) {
177	continue;
178	}
179
180	kt_entry.principal = princ;
181	kt_entry.vno = kvno;
182
183	DEBUG(3,("smb_krb5_kt_add_entry: adding keytab entry for (%s) with encryption type (%d) and version (%d)\n",
184	princ_s, enctypes[i], kt_entry.vno));
185	ret = krb5_kt_add_entry(context, keytab, &kt_entry);
186	krb5_free_keyblock_contents(context, keyp);
187	ZERO_STRUCT(kt_entry);
188	if (ret) {
189	DEBUG(1,("smb_krb5_kt_add_entry: adding entry to keytab failed (%s)\n", error_message(ret)));
190	goto out;
191	}
192	}
193
194
195	out:
196	{
197	krb5_keytab_entry zero_kt_entry;
198	ZERO_STRUCT(zero_kt_entry);
199	if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
200	smb_krb5_kt_free_entry(context, &kt_entry);
201	}
202	}
203	if (princ) {
204	krb5_free_principal(context, princ);
205	}
206
207	{
208	krb5_kt_cursor zero_csr;
209	ZERO_STRUCT(zero_csr);
210	if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
211	krb5_kt_end_seq_get(context, keytab, &cursor);
212	}
213	}
214
215	return (int)ret;
216	}
217
218
219	/**********************************************************************
220	Adds a single service principal, i.e. 'host' to the system keytab
221	***********************************************************************/
222
223	int ads_keytab_add_entry(ADS_STRUCT ads, const char srvPrinc)
224	{
225	krb5_error_code ret = 0;
226	krb5_context context = NULL;
227	krb5_keytab keytab = NULL;
228	krb5_data password;
229	krb5_kvno kvno;
230	krb5_enctype enctypes[4] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, 0, 0 };
231	char princ_s = NULL, short_princ_s = NULL;
232	char *password_s = NULL;
233	char *my_fqdn;
234	char keytab_name[MAX_KEYTAB_NAME_LEN];
235	TALLOC_CTX *ctx = NULL;
236	char *machine_name;
237
238	#if defined(ENCTYPE_ARCFOUR_HMAC)
239	enctypes[2] = ENCTYPE_ARCFOUR_HMAC;
240	#endif
241
242	initialize_krb5_error_table();
243	ret = krb5_init_context(&context);
244	if (ret) {
245	DEBUG(1,("ads_keytab_add_entry: could not krb5_init_context: %s\n",error_message(ret)));
246	return -1;
247	}
248
249	#ifdef HAVE_WRFILE_KEYTAB /* MIT */
250	keytab_name[0] = 'W';
251	keytab_name[1] = 'R';
252	ret = krb5_kt_default_name(context, (char *) &keytab_name[2], MAX_KEYTAB_NAME_LEN - 4);
253	#else /* Heimdal */
254	ret = krb5_kt_default_name(context, (char *) &keytab_name[0], MAX_KEYTAB_NAME_LEN - 2);
255	#endif
256	if (ret) {
257	DEBUG(1,("ads_keytab_add_entry: krb5_kt_default_name failed (%s)\n", error_message(ret)));
258	goto out;
259	}
260	DEBUG(2,("ads_keytab_add_entry: Using default system keytab: %s\n", (char *) &keytab_name));
261	ret = krb5_kt_resolve(context, (char *) &keytab_name, &keytab);
262	if (ret) {
263	DEBUG(1,("ads_keytab_add_entry: krb5_kt_resolve failed (%s)\n", error_message(ret)));
264	goto out;
265	}
266
267	/* retrieve the password */
268	if (!secrets_init()) {
269	DEBUG(1,("ads_keytab_add_entry: secrets_init failed\n"));
270	ret = -1;
271	goto out;
272	}
273	password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
274	if (!password_s) {
275	DEBUG(1,("ads_keytab_add_entry: failed to fetch machine password\n"));
276	ret = -1;
277	goto out;
278	}
279	password.data = password_s;
280	password.length = strlen(password_s);
281
282	/* we need the dNSHostName value here */
283
284	if ( (ctx = talloc_init("ads_keytab_add_entry")) == NULL ) {
285	DEBUG(0,("ads_keytab_add_entry: talloc() failed!\n"));
286	ret = -1;
287	goto out;
288	}
289
290	if ( (my_fqdn = ads_get_dnshostname( ads, ctx, global_myname())) == NULL ) {
291	DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's dns name in AD!\n"));
292	ret = -1;
293	goto out;
294	}
295
296	if ( (machine_name = ads_get_samaccountname( ads, ctx, global_myname())) == NULL ) {
297	DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's short name in AD!\n"));
298	ret = -1;
299	goto out;
300	}
301	/strip the trailing '$' /
302	machine_name[strlen(machine_name)-1] = '\0';
303
304	/* Construct our principal */
305
306	if (strchr_m(srvPrinc, '@')) {
307	/* It's a fully-named principal. */
308	asprintf(&princ_s, "%s", srvPrinc);
309	} else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
310	/* It's the machine account, as used by smbclient clients. */
311	asprintf(&princ_s, "%s@%s", srvPrinc, lp_realm());
312	} else {
313	/* It's a normal service principal. Add the SPN now so that we
314	* can obtain credentials for it and double-check the salt value
315	* used to generate the service's keys. */
316
317	asprintf(&princ_s, "%s/%s@%s", srvPrinc, my_fqdn, lp_realm());
318	asprintf(&short_princ_s, "%s/%s@%s", srvPrinc, machine_name, lp_realm());
319
320	/* According to http://support.microsoft.com/kb/326985/en-us,
321	certain principal names are automatically mapped to the host/...
322	principal in the AD account. So only create these in the
323	keytab, not in AD. --jerry */
324
325	if ( !strequal( srvPrinc, "cifs" ) && !strequal(srvPrinc, "host" ) ) {
326	DEBUG(3,("ads_keytab_add_entry: Attempting to add/update '%s'\n", princ_s));
327
328	if (!ADS_ERR_OK(ads_add_service_principal_name(ads, global_myname(), my_fqdn, srvPrinc))) {
329	DEBUG(1,("ads_keytab_add_entry: ads_add_service_principal_name failed.\n"));
330	goto out;
331	}
332	}
333	}
334
335	kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
336	if (kvno == -1) { /* -1 indicates failure, everything else is OK */
337	DEBUG(1,("ads_keytab_add_entry: ads_get_kvno failed to determine the system's kvno.\n"));
338	ret = -1;
339	goto out;
340	}
341
342	/* add the fqdn principal to the keytab */
343
344	ret = smb_krb5_kt_add_entry( context, keytab, kvno, princ_s, enctypes, password );
345	if ( ret ) {
346	DEBUG(1,("ads_keytab_add_entry: Failed to add entry to keytab file\n"));
347	goto out;
348	}
349
350	/* add the short principal name if we have one */
351
352	if ( short_princ_s ) {
353	ret = smb_krb5_kt_add_entry( context, keytab, kvno, short_princ_s, enctypes, password );
354	if ( ret ) {
355	DEBUG(1,("ads_keytab_add_entry: Failed to add short entry to keytab file\n"));
356	goto out;
357	}
358	}
359
360	out:
361	SAFE_FREE( princ_s );
362	SAFE_FREE( short_princ_s );
363	TALLOC_FREE( ctx );
364
365	if (keytab) {
366	krb5_kt_close(context, keytab);
367	}
368	if (context) {
369	krb5_free_context(context);
370	}
371	return (int)ret;
372	}
373
374	/**********************************************************************
375	Flushes all entries from the system keytab.
376	***********************************************************************/
377
378	int ads_keytab_flush(ADS_STRUCT *ads)
379	{
380	krb5_error_code ret = 0;
381	krb5_context context = NULL;
382	krb5_keytab keytab = NULL;
383	krb5_kt_cursor cursor;
384	krb5_keytab_entry kt_entry;
385	krb5_kvno kvno;
386	char keytab_name[MAX_KEYTAB_NAME_LEN];
387
388	ZERO_STRUCT(kt_entry);
389	ZERO_STRUCT(cursor);
390
391	initialize_krb5_error_table();
392	ret = krb5_init_context(&context);
393	if (ret) {
394	DEBUG(1,("ads_keytab_flush: could not krb5_init_context: %s\n",error_message(ret)));
395	return ret;
396	}
397	#ifdef HAVE_WRFILE_KEYTAB
398	keytab_name[0] = 'W';
399	keytab_name[1] = 'R';
400	ret = krb5_kt_default_name(context, (char *) &keytab_name[2], MAX_KEYTAB_NAME_LEN - 4);
401	#else
402	ret = krb5_kt_default_name(context, (char *) &keytab_name[0], MAX_KEYTAB_NAME_LEN - 2);
403	#endif
404	if (ret) {
405	DEBUG(1,("ads_keytab_flush: krb5_kt_default failed (%s)\n", error_message(ret)));
406	goto out;
407	}
408	DEBUG(3,("ads_keytab_flush: Using default keytab: %s\n", (char *) &keytab_name));
409	ret = krb5_kt_resolve(context, (char *) &keytab_name, &keytab);
410	if (ret) {
411	DEBUG(1,("ads_keytab_flush: krb5_kt_resolve failed (%s)\n", error_message(ret)));
412	goto out;
413	}
414
415	kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
416	if (kvno == -1) { /* -1 indicates a failure */
417	DEBUG(1,("ads_keytab_flush: Error determining the system's kvno.\n"));
418	goto out;
419	}
420
421	ret = krb5_kt_start_seq_get(context, keytab, &cursor);
422	if (ret != KRB5_KT_END && ret != ENOENT) {
423	while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
424	ret = krb5_kt_end_seq_get(context, keytab, &cursor);
425	ZERO_STRUCT(cursor);
426	if (ret) {
427	DEBUG(1,("ads_keytab_flush: krb5_kt_end_seq_get() failed (%s)\n",error_message(ret)));
428	goto out;
429	}
430	ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
431	if (ret) {
432	DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
433	goto out;
434	}
435	ret = krb5_kt_start_seq_get(context, keytab, &cursor);
436	if (ret) {
437	DEBUG(1,("ads_keytab_flush: krb5_kt_start_seq failed (%s)\n",error_message(ret)));
438	goto out;
439	}
440	ret = smb_krb5_kt_free_entry(context, &kt_entry);
441	ZERO_STRUCT(kt_entry);
442	if (ret) {
443	DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
444	goto out;
445	}
446	}
447	}
448
449	/* Ensure we don't double free. */
450	ZERO_STRUCT(kt_entry);
451	ZERO_STRUCT(cursor);
452
453	if (!ADS_ERR_OK(ads_clear_service_principal_names(ads, global_myname()))) {
454	DEBUG(1,("ads_keytab_flush: Error while clearing service principal listings in LDAP.\n"));
455	goto out;
456	}
457
458	out:
459
460	{
461	krb5_keytab_entry zero_kt_entry;
462	ZERO_STRUCT(zero_kt_entry);
463	if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
464	smb_krb5_kt_free_entry(context, &kt_entry);
465	}
466	}
467	{
468	krb5_kt_cursor zero_csr;
469	ZERO_STRUCT(zero_csr);
470	if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
471	krb5_kt_end_seq_get(context, keytab, &cursor);
472	}
473	}
474	if (keytab) {
475	krb5_kt_close(context, keytab);
476	}
477	if (context) {
478	krb5_free_context(context);
479	}
480	return ret;
481	}
482
483	/**********************************************************************
484	Adds all the required service principals to the system keytab.
485	***********************************************************************/
486
487	int ads_keytab_create_default(ADS_STRUCT *ads)
488	{
489	krb5_error_code ret = 0;
490	krb5_context context = NULL;
491	krb5_keytab keytab = NULL;
492	krb5_kt_cursor cursor;
493	krb5_keytab_entry kt_entry;
494	krb5_kvno kvno;
495	int i, found = 0;
496	char sam_account_name, upn;
497	char *oldEntries = NULL, princ_s[26];
498	TALLOC_CTX *ctx = NULL;
499	fstring machine_name;
500
501	memset(princ_s, '\0', sizeof(princ_s));
502
503	fstrcpy( machine_name, global_myname() );
504
505	/* these are the main ones we need */
506
507	if ( (ret = ads_keytab_add_entry(ads, "host") ) != 0 ) {
508	DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.\n"));
509	return ret;
510	}
511
512
513	#if 0 /* don't create the CIFS/... keytab entries since no one except smbd
514	really needs them and we will fall back to verifying against secrets.tdb */
515
516	if ( (ret = ads_keytab_add_entry(ads, "cifs")) != 0 ) {
517	DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'cifs'.\n"));
518	return ret;
519	}
520	#endif
521
522	if ( (ctx = talloc_init("ads_keytab_create_default")) == NULL ) {
523	DEBUG(0,("ads_keytab_create_default: talloc() failed!\n"));
524	return -1;
525	}
526
527	/* now add the userPrincipalName and sAMAccountName entries */
528
529	if ( (sam_account_name = ads_get_samaccountname( ads, ctx, machine_name)) == NULL ) {
530	DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's name in AD!\n"));
531	TALLOC_FREE( ctx );
532	return -1;
533	}
534
535	/* upper case the sAMAccountName to make it easier for apps to
536	know what case to use in the keytab file */
537
538	strupper_m( sam_account_name );
539
540	if ( (ret = ads_keytab_add_entry(ads, sam_account_name )) != 0 ) {
541	DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding sAMAccountName (%s)\n",
542	sam_account_name));
543	return ret;
544	}
545
546	/* remember that not every machine account will have a upn */
547
548	upn = ads_get_upn( ads, ctx, machine_name);
549	if ( upn ) {
550	if ( (ret = ads_keytab_add_entry(ads, upn)) != 0 ) {
551	DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding UPN (%s)\n",
552	upn));
553	TALLOC_FREE( ctx );
554	return ret;
555	}
556	}
557
558	TALLOC_FREE( ctx );
559
560	/* Now loop through the keytab and update any other existing entries... */
561
562	kvno = (krb5_kvno) ads_get_kvno(ads, machine_name);
563	if (kvno == -1) {
564	DEBUG(1,("ads_keytab_create_default: ads_get_kvno failed to determine the system's kvno.\n"));
565	return -1;
566	}
567
568	DEBUG(3,("ads_keytab_create_default: Searching for keytab entries to "
569	"preserve and update.\n"));
570
571	ZERO_STRUCT(kt_entry);
572	ZERO_STRUCT(cursor);
573
574	initialize_krb5_error_table();
575	ret = krb5_init_context(&context);
576	if (ret) {
577	DEBUG(1,("ads_keytab_create_default: could not krb5_init_context: %s\n",error_message(ret)));
578	return ret;
579	}
580	ret = krb5_kt_default(context, &keytab);
581	if (ret) {
582	DEBUG(1,("ads_keytab_create_default: krb5_kt_default failed (%s)\n",error_message(ret)));
583	goto done;
584	}
585
586	ret = krb5_kt_start_seq_get(context, keytab, &cursor);
587	if (ret != KRB5_KT_END && ret != ENOENT ) {
588	while ((ret = krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) == 0) {
589	smb_krb5_kt_free_entry(context, &kt_entry);
590	ZERO_STRUCT(kt_entry);
591	found++;
592	}
593	}
594	krb5_kt_end_seq_get(context, keytab, &cursor);
595	ZERO_STRUCT(cursor);
596
597	/*
598	* Hmmm. There is no "rewind" function for the keytab. This means we have a race condition
599	* where someone else could add entries after we've counted them. Re-open asap to minimise
600	* the race. JRA.
601	*/
602
603	DEBUG(3, ("ads_keytab_create_default: Found %d entries in the keytab.\n", found));
604	if (!found) {
605	goto done;
606	}
607	oldEntries = SMB_MALLOC_ARRAY(char *, found );
608	if (!oldEntries) {
609	DEBUG(1,("ads_keytab_create_default: Failed to allocate space to store the old keytab entries (malloc failed?).\n"));
610	ret = -1;
611	goto done;
612	}
613	memset(oldEntries, '\0', found * sizeof(char *));
614
615	ret = krb5_kt_start_seq_get(context, keytab, &cursor);
616	if (ret != KRB5_KT_END && ret != ENOENT ) {
617	while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
618	if (kt_entry.vno != kvno) {
619	char *ktprinc = NULL;
620	char *p;
621
622	/* This returns a malloc'ed string in ktprinc. */
623	ret = smb_krb5_unparse_name(context, kt_entry.principal, &ktprinc);
624	if (ret) {
625	DEBUG(1,("smb_krb5_unparse_name failed (%s)\n", error_message(ret)));
626	goto done;
627	}
628	/*
629	* From looking at the krb5 source they don't seem to take locale
630	* or mb strings into account. Maybe this is because they assume utf8 ?
631	* In this case we may need to convert from utf8 to mb charset here ? JRA.
632	*/
633	p = strchr_m(ktprinc, '@');
634	if (p) {
635	*p = '\0';
636	}
637
638	p = strchr_m(ktprinc, '/');
639	if (p) {
640	*p = '\0';
641	}
642	for (i = 0; i < found; i++) {
643	if (!oldEntries[i]) {
644	oldEntries[i] = ktprinc;
645	break;
646	}
647	if (!strcmp(oldEntries[i], ktprinc)) {
648	SAFE_FREE(ktprinc);
649	break;
650	}
651	}
652	if (i == found) {
653	SAFE_FREE(ktprinc);
654	}
655	}
656	smb_krb5_kt_free_entry(context, &kt_entry);
657	ZERO_STRUCT(kt_entry);
658	}
659	ret = 0;
660	for (i = 0; oldEntries[i]; i++) {
661	ret \|= ads_keytab_add_entry(ads, oldEntries[i]);
662	SAFE_FREE(oldEntries[i]);
663	}
664	krb5_kt_end_seq_get(context, keytab, &cursor);
665	}
666	ZERO_STRUCT(cursor);
667
668	done:
669
670	SAFE_FREE(oldEntries);
671
672	{
673	krb5_keytab_entry zero_kt_entry;
674	ZERO_STRUCT(zero_kt_entry);
675	if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
676	smb_krb5_kt_free_entry(context, &kt_entry);
677	}
678	}
679	{
680	krb5_kt_cursor zero_csr;
681	ZERO_STRUCT(zero_csr);
682	if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
683	krb5_kt_end_seq_get(context, keytab, &cursor);
684	}
685	}
686	if (keytab) {
687	krb5_kt_close(context, keytab);
688	}
689	if (context) {
690	krb5_free_context(context);
691	}
692	return ret;
693	}
694	#endif /* HAVE_KRB5 */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: