Context Navigation

source: vendor/3.6.23/source3/libads/kerberos_keytab.c

Visit:

Last change on this file was 860, checked in by Silvan Scherrer, 11 years ago
Samba 3.6: updated vendor to latest version
File size: 21.0 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	kerberos keytab utility library
4	Copyright (C) Andrew Tridgell 2001
5	Copyright (C) Remus Koos 2001
6	Copyright (C) Luke Howard 2003
7	Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8	Copyright (C) Guenther Deschner 2003
9	Copyright (C) Rakesh Patel 2004
10	Copyright (C) Dan Perry 2004
11	Copyright (C) Jeremy Allison 2004
12	Copyright (C) Gerald Carter 2006
13
14	This program is free software; you can redistribute it and/or modify
15	it under the terms of the GNU General Public License as published by
16	the Free Software Foundation; either version 3 of the License, or
17	(at your option) any later version.
18
19	This program is distributed in the hope that it will be useful,
20	but WITHOUT ANY WARRANTY; without even the implied warranty of
21	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22	GNU General Public License for more details.
23
24	You should have received a copy of the GNU General Public License
25	along with this program. If not, see <http://www.gnu.org/licenses/>.
26	*/
27
28	#include "includes.h"
29	#include "smb_krb5.h"
30	#include "ads.h"
31	#include "secrets.h"
32
33	#ifdef HAVE_KRB5
34
35	/**********************************************************************
36	**********************************************************************/
37
38	static krb5_error_code seek_and_delete_old_entries(krb5_context context,
39	krb5_keytab keytab,
40	krb5_kvno kvno,
41	const char *princ_s,
42	krb5_principal princ,
43	bool flush,
44	bool keep_old_entries)
45	{
46	krb5_error_code ret;
47	krb5_kt_cursor cursor;
48	krb5_kt_cursor zero_csr;
49	krb5_keytab_entry kt_entry;
50	krb5_keytab_entry zero_kt_entry;
51	char *ktprinc = NULL;
52
53	ZERO_STRUCT(cursor);
54	ZERO_STRUCT(zero_csr);
55	ZERO_STRUCT(kt_entry);
56	ZERO_STRUCT(zero_kt_entry);
57
58	ret = krb5_kt_start_seq_get(context, keytab, &cursor);
59	if (ret == KRB5_KT_END \|\| ret == ENOENT ) {
60	/* no entries */
61	return 0;
62	}
63
64	DEBUG(3, (__location__ ": Will try to delete old keytab entries\n"));
65	while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
66	bool name_ok = False;
67
68	if (!flush && (princ_s != NULL)) {
69	ret = smb_krb5_unparse_name(talloc_tos(), context,
70	kt_entry.principal,
71	&ktprinc);
72	if (ret) {
73	DEBUG(1, (__location__
74	": smb_krb5_unparse_name failed "
75	"(%s)\n", error_message(ret)));
76	goto out;
77	}
78
79	#ifdef HAVE_KRB5_KT_COMPARE
80	name_ok = krb5_kt_compare(context, &kt_entry,
81	princ, 0, 0);
82	#else
83	name_ok = (strcmp(ktprinc, princ_s) == 0);
84	#endif
85
86	if (!name_ok) {
87	DEBUG(10, (__location__ ": ignoring keytab "
88	"entry principal %s, kvno = %d\n",
89	ktprinc, kt_entry.vno));
90
91	/* Not a match,
92	* just free this entry and continue. */
93	ret = smb_krb5_kt_free_entry(context,
94	&kt_entry);
95	ZERO_STRUCT(kt_entry);
96	if (ret) {
97	DEBUG(1, (__location__
98	": smb_krb5_kt_free_entry "
99	"failed (%s)\n",
100	error_message(ret)));
101	goto out;
102	}
103
104	TALLOC_FREE(ktprinc);
105	continue;
106	}
107
108	TALLOC_FREE(ktprinc);
109	}
110
111	/*------------------------------------------------------------
112	* Save the entries with kvno - 1. This is what microsoft does
113	* to allow people with existing sessions that have kvno - 1
114	* to still work. Otherwise, when the password for the machine
115	* changes, all kerberizied sessions will 'break' until either
116	* the client reboots or the client's session key expires and
117	* they get a new session ticket with the new kvno.
118	*/
119
120	if (!flush && (kt_entry.vno == kvno - 1)) {
121	DEBUG(5, (__location__ ": Saving previous (kvno %d) "
122	"entry for principal: %s.\n",
123	kvno - 1, princ_s));
124	continue;
125	}
126
127	if (keep_old_entries) {
128	DEBUG(5, (__location__ ": Saving old (kvno %d) "
129	"entry for principal: %s.\n",
130	kvno, princ_s));
131	continue;
132	}
133
134	DEBUG(5, (__location__ ": Found old entry for principal: %s "
135	"(kvno %d) - trying to remove it.\n",
136	princ_s, kt_entry.vno));
137
138	ret = krb5_kt_end_seq_get(context, keytab, &cursor);
139	ZERO_STRUCT(cursor);
140	if (ret) {
141	DEBUG(1, (__location__ ": krb5_kt_end_seq_get() "
142	"failed (%s)\n", error_message(ret)));
143	goto out;
144	}
145	ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
146	if (ret) {
147	DEBUG(1, (__location__ ": krb5_kt_remove_entry() "
148	"failed (%s)\n", error_message(ret)));
149	goto out;
150	}
151
152	DEBUG(5, (__location__ ": removed old entry for principal: "
153	"%s (kvno %d).\n", princ_s, kt_entry.vno));
154
155	ret = krb5_kt_start_seq_get(context, keytab, &cursor);
156	if (ret) {
157	DEBUG(1, (__location__ ": krb5_kt_start_seq() failed "
158	"(%s)\n", error_message(ret)));
159	goto out;
160	}
161	ret = smb_krb5_kt_free_entry(context, &kt_entry);
162	ZERO_STRUCT(kt_entry);
163	if (ret) {
164	DEBUG(1, (__location__ ": krb5_kt_remove_entry() "
165	"failed (%s)\n", error_message(ret)));
166	goto out;
167	}
168	}
169
170	out:
171	if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
172	smb_krb5_kt_free_entry(context, &kt_entry);
173	}
174	if (keytab) {
175	if (memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) {
176	krb5_kt_end_seq_get(context, keytab, &cursor);
177	}
178	}
179
180	return ret;
181	}
182
183	static int smb_krb5_kt_add_entry(krb5_context context,
184	krb5_keytab keytab,
185	krb5_kvno kvno,
186	const char *princ_s,
187	krb5_enctype *enctypes,
188	krb5_data password,
189	bool no_salt,
190	bool keep_old_entries)
191	{
192	krb5_error_code ret;
193	krb5_keytab_entry kt_entry;
194	krb5_principal princ = NULL;
195	int i;
196
197	ZERO_STRUCT(kt_entry);
198
199	ret = smb_krb5_parse_name(context, princ_s, &princ);
200	if (ret) {
201	DEBUG(1, (__location__ ": smb_krb5_parse_name(%s) "
202	"failed (%s)\n", princ_s, error_message(ret)));
203	goto out;
204	}
205
206	/* Seek and delete old keytab entries */
207	ret = seek_and_delete_old_entries(context, keytab, kvno,
208	princ_s, princ, false,
209	keep_old_entries);
210	if (ret) {
211	goto out;
212	}
213
214	/* If we get here, we have deleted all the old entries with kvno's
215	* not equal to the current kvno-1. */
216
217	/* Now add keytab entries for all encryption types */
218	for (i = 0; enctypes[i]; i++) {
219	krb5_keyblock *keyp;
220
221	keyp = KRB5_KT_KEY(&kt_entry);
222
223	if (create_kerberos_key_from_string(context, princ,
224	&password, keyp,
225	enctypes[i], no_salt)) {
226	continue;
227	}
228
229	kt_entry.principal = princ;
230	kt_entry.vno = kvno;
231
232	DEBUG(3, (__location__ ": adding keytab entry for (%s) with "
233	"encryption type (%d) and version (%d)\n",
234	princ_s, enctypes[i], kt_entry.vno));
235	ret = krb5_kt_add_entry(context, keytab, &kt_entry);
236	krb5_free_keyblock_contents(context, keyp);
237	ZERO_STRUCT(kt_entry);
238	if (ret) {
239	DEBUG(1, (__location__ ": adding entry to keytab "
240	"failed (%s)\n", error_message(ret)));
241	goto out;
242	}
243	}
244
245	out:
246	if (princ) {
247	krb5_free_principal(context, princ);
248	}
249
250	return (int)ret;
251	}
252
253	/**********************************************************************
254	Adds a single service principal, i.e. 'host' to the system keytab
255	***********************************************************************/
256
257	int ads_keytab_add_entry(ADS_STRUCT ads, const char srvPrinc)
258	{
259	krb5_error_code ret = 0;
260	krb5_context context = NULL;
261	krb5_keytab keytab = NULL;
262	krb5_data password;
263	krb5_kvno kvno;
264	krb5_enctype enctypes[6] = {
265	ENCTYPE_DES_CBC_CRC,
266	ENCTYPE_DES_CBC_MD5,
267	#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
268	ENCTYPE_AES128_CTS_HMAC_SHA1_96,
269	#endif
270	#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
271	ENCTYPE_AES256_CTS_HMAC_SHA1_96,
272	#endif
273	ENCTYPE_ARCFOUR_HMAC,
274	0
275	};
276	char *princ_s = NULL;
277	char *short_princ_s = NULL;
278	char *password_s = NULL;
279	char *my_fqdn;
280	TALLOC_CTX *tmpctx = NULL;
281	char *machine_name;
282	ADS_STATUS aderr;
283
284	initialize_krb5_error_table();
285	ret = krb5_init_context(&context);
286	if (ret) {
287	DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
288	error_message(ret)));
289	return -1;
290	}
291
292	ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
293	if (ret) {
294	DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
295	error_message(ret)));
296	goto out;
297	}
298
299	/* retrieve the password */
300	if (!secrets_init()) {
301	DEBUG(1, (__location__ ": secrets_init failed\n"));
302	ret = -1;
303	goto out;
304	}
305	password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
306	if (!password_s) {
307	DEBUG(1, (__location__ ": failed to fetch machine password\n"));
308	ret = -1;
309	goto out;
310	}
311	ZERO_STRUCT(password);
312	password.data = password_s;
313	password.length = strlen(password_s);
314
315	/* we need the dNSHostName value here */
316	tmpctx = talloc_init(__location__);
317	if (!tmpctx) {
318	DEBUG(0, (__location__ ": talloc_init() failed!\n"));
319	ret = -1;
320	goto out;
321	}
322
323	my_fqdn = ads_get_dnshostname(ads, tmpctx, global_myname());
324	if (!my_fqdn) {
325	DEBUG(0, (__location__ ": unable to determine machine "
326	"account's dns name in AD!\n"));
327	ret = -1;
328	goto out;
329	}
330
331	machine_name = ads_get_samaccountname(ads, tmpctx, global_myname());
332	if (!machine_name) {
333	DEBUG(0, (__location__ ": unable to determine machine "
334	"account's short name in AD!\n"));
335	ret = -1;
336	goto out;
337	}
338	/strip the trailing '$' /
339	machine_name[strlen(machine_name)-1] = '\0';
340
341	/* Construct our principal */
342	if (strchr_m(srvPrinc, '@')) {
343	/* It's a fully-named principal. */
344	princ_s = talloc_asprintf(tmpctx, "%s", srvPrinc);
345	if (!princ_s) {
346	ret = -1;
347	goto out;
348	}
349	} else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
350	/* It's the machine account, as used by smbclient clients. */
351	princ_s = talloc_asprintf(tmpctx, "%s@%s",
352	srvPrinc, lp_realm());
353	if (!princ_s) {
354	ret = -1;
355	goto out;
356	}
357	} else {
358	/* It's a normal service principal. Add the SPN now so that we
359	* can obtain credentials for it and double-check the salt value
360	* used to generate the service's keys. */
361
362	princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
363	srvPrinc, my_fqdn, lp_realm());
364	if (!princ_s) {
365	ret = -1;
366	goto out;
367	}
368	short_princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
369	srvPrinc, machine_name,
370	lp_realm());
371	if (!princ_s) {
372	ret = -1;
373	goto out;
374	}
375
376	/* According to http://support.microsoft.com/kb/326985/en-us,
377	certain principal names are automatically mapped to the
378	host/... principal in the AD account.
379	So only create these in the keytab, not in AD. --jerry */
380
381	if (!strequal(srvPrinc, "cifs") &&
382	!strequal(srvPrinc, "host")) {
383	DEBUG(3, (__location__ ": Attempting to add/update "
384	"'%s'\n", princ_s));
385
386	aderr = ads_add_service_principal_name(ads,
387	global_myname(), my_fqdn, srvPrinc);
388	if (!ADS_ERR_OK(aderr)) {
389	DEBUG(1, (__location__ ": failed to "
390	"ads_add_service_principal_name.\n"));
391	goto out;
392	}
393	}
394	}
395
396	kvno = (krb5_kvno)ads_get_machine_kvno(ads, global_myname());
397	if (kvno == -1) {
398	/* -1 indicates failure, everything else is OK */
399	DEBUG(1, (__location__ ": ads_get_machine_kvno failed to "
400	"determine the system's kvno.\n"));
401	ret = -1;
402	goto out;
403	}
404
405	/* add the fqdn principal to the keytab */
406	ret = smb_krb5_kt_add_entry(context, keytab, kvno,
407	princ_s, enctypes, password,
408	false, false);
409	if (ret) {
410	DEBUG(1, (__location__ ": Failed to add entry to keytab\n"));
411	goto out;
412	}
413
414	/* add the short principal name if we have one */
415	if (short_princ_s) {
416	ret = smb_krb5_kt_add_entry(context, keytab, kvno,
417	short_princ_s, enctypes, password,
418	false, false);
419	if (ret) {
420	DEBUG(1, (__location__
421	": Failed to add short entry to keytab\n"));
422	goto out;
423	}
424	}
425
426	out:
427	TALLOC_FREE(tmpctx);
428
429	if (keytab) {
430	krb5_kt_close(context, keytab);
431	}
432	if (context) {
433	krb5_free_context(context);
434	}
435	return (int)ret;
436	}
437
438	/**********************************************************************
439	Flushes all entries from the system keytab.
440	***********************************************************************/
441
442	int ads_keytab_flush(ADS_STRUCT *ads)
443	{
444	krb5_error_code ret = 0;
445	krb5_context context = NULL;
446	krb5_keytab keytab = NULL;
447	krb5_kvno kvno;
448	ADS_STATUS aderr;
449
450	initialize_krb5_error_table();
451	ret = krb5_init_context(&context);
452	if (ret) {
453	DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
454	error_message(ret)));
455	return ret;
456	}
457
458	ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
459	if (ret) {
460	DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
461	error_message(ret)));
462	goto out;
463	}
464
465	kvno = (krb5_kvno)ads_get_machine_kvno(ads, global_myname());
466	if (kvno == -1) {
467	/* -1 indicates a failure */
468	DEBUG(1, (__location__ ": Error determining the kvno.\n"));
469	goto out;
470	}
471
472	/* Seek and delete old keytab entries */
473	ret = seek_and_delete_old_entries(context, keytab, kvno,
474	NULL, NULL, true, false);
475	if (ret) {
476	goto out;
477	}
478
479	aderr = ads_clear_service_principal_names(ads, global_myname());
480	if (!ADS_ERR_OK(aderr)) {
481	DEBUG(1, (__location__ ": Error while clearing service "
482	"principal listings in LDAP.\n"));
483	goto out;
484	}
485
486	out:
487	if (keytab) {
488	krb5_kt_close(context, keytab);
489	}
490	if (context) {
491	krb5_free_context(context);
492	}
493	return ret;
494	}
495
496	/**********************************************************************
497	Adds all the required service principals to the system keytab.
498	***********************************************************************/
499
500	int ads_keytab_create_default(ADS_STRUCT *ads)
501	{
502	krb5_error_code ret = 0;
503	krb5_context context = NULL;
504	krb5_keytab keytab = NULL;
505	krb5_kt_cursor cursor;
506	krb5_keytab_entry kt_entry;
507	krb5_kvno kvno;
508	int i, found = 0;
509	char sam_account_name, upn;
510	char *oldEntries = NULL, princ_s[26];
511	TALLOC_CTX *tmpctx = NULL;
512	char *machine_name;
513
514	/* these are the main ones we need */
515	ret = ads_keytab_add_entry(ads, "host");
516	if (ret != 0) {
517	DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
518	"adding 'host' principal.\n"));
519	return ret;
520	}
521
522
523	#if 0 /* don't create the CIFS/... keytab entries since no one except smbd
524	really needs them and we will fall back to verifying against
525	secrets.tdb */
526
527	ret = ads_keytab_add_entry(ads, "cifs"));
528	if (ret != 0 ) {
529	DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
530	"adding 'cifs'.\n"));
531	return ret;
532	}
533	#endif
534
535	memset(princ_s, '\0', sizeof(princ_s));
536	ZERO_STRUCT(kt_entry);
537	ZERO_STRUCT(cursor);
538
539	initialize_krb5_error_table();
540	ret = krb5_init_context(&context);
541	if (ret) {
542	DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
543	error_message(ret)));
544	return ret;
545	}
546
547	tmpctx = talloc_init(__location__);
548	if (!tmpctx) {
549	DEBUG(0, (__location__ ": talloc_init() failed!\n"));
550	ret = -1;
551	goto done;
552	}
553
554	machine_name = talloc_strdup(tmpctx, global_myname());
555	if (!machine_name) {
556	ret = -1;
557	goto done;
558	}
559
560	/* now add the userPrincipalName and sAMAccountName entries */
561	sam_account_name = ads_get_samaccountname(ads, tmpctx, machine_name);
562	if (!sam_account_name) {
563	DEBUG(0, (__location__ ": unable to determine machine "
564	"account's name in AD!\n"));
565	ret = -1;
566	goto done;
567	}
568
569	/* upper case the sAMAccountName to make it easier for apps to
570	know what case to use in the keytab file */
571	strupper_m(sam_account_name);
572
573	ret = ads_keytab_add_entry(ads, sam_account_name);
574	if (ret != 0) {
575	DEBUG(1, (__location__ ": ads_keytab_add_entry() failed "
576	"while adding sAMAccountName (%s)\n",
577	sam_account_name));
578	goto done;
579	}
580
581	/* remember that not every machine account will have a upn */
582	upn = ads_get_upn(ads, tmpctx, machine_name);
583	if (upn) {
584	ret = ads_keytab_add_entry(ads, upn);
585	if (ret != 0) {
586	DEBUG(1, (__location__ ": ads_keytab_add_entry() "
587	"failed while adding UPN (%s)\n", upn));
588	goto done;
589	}
590	}
591
592	/* Now loop through the keytab and update any other existing entries */
593	kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
594	if (kvno == -1) {
595	DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
596	"determine the system's kvno.\n"));
597	goto done;
598	}
599
600	DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
601	"and update.\n"));
602
603	ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
604	if (ret) {
605	DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
606	error_message(ret)));
607	goto done;
608	}
609
610	ret = krb5_kt_start_seq_get(context, keytab, &cursor);
611	if (ret != KRB5_KT_END && ret != ENOENT ) {
612	while ((ret = krb5_kt_next_entry(context, keytab,
613	&kt_entry, &cursor)) == 0) {
614	smb_krb5_kt_free_entry(context, &kt_entry);
615	ZERO_STRUCT(kt_entry);
616	found++;
617	}
618	}
619	krb5_kt_end_seq_get(context, keytab, &cursor);
620	ZERO_STRUCT(cursor);
621
622	/*
623	* Hmmm. There is no "rewind" function for the keytab. This means we
624	* have a race condition where someone else could add entries after
625	* we've counted them. Re-open asap to minimise the race. JRA.
626	*/
627	DEBUG(3, (__location__ ": Found %d entries in the keytab.\n", found));
628	if (!found) {
629	goto done;
630	}
631
632	oldEntries = talloc_array(tmpctx, char *, found);
633	if (!oldEntries) {
634	DEBUG(1, (__location__ ": Failed to allocate space to store "
635	"the old keytab entries (talloc failed?).\n"));
636	ret = -1;
637	goto done;
638	}
639	memset(oldEntries, '\0', found * sizeof(char *));
640
641	ret = krb5_kt_start_seq_get(context, keytab, &cursor);
642	if (ret == KRB5_KT_END \|\| ret == ENOENT) {
643	krb5_kt_end_seq_get(context, keytab, &cursor);
644	ZERO_STRUCT(cursor);
645	goto done;
646	}
647
648	while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
649	if (kt_entry.vno != kvno) {
650	char *ktprinc = NULL;
651	char *p;
652
653	/* This returns a malloc'ed string in ktprinc. */
654	ret = smb_krb5_unparse_name(oldEntries, context,
655	kt_entry.principal,
656	&ktprinc);
657	if (ret) {
658	DEBUG(1, (__location__
659	": smb_krb5_unparse_name failed "
660	"(%s)\n", error_message(ret)));
661	goto done;
662	}
663	/*
664	* From looking at the krb5 source they don't seem to
665	* take locale or mb strings into account.
666	* Maybe this is because they assume utf8 ?
667	* In this case we may need to convert from utf8 to
668	* mb charset here ? JRA.
669	*/
670	p = strchr_m(ktprinc, '@');
671	if (p) {
672	*p = '\0';
673	}
674
675	p = strchr_m(ktprinc, '/');
676	if (p) {
677	*p = '\0';
678	}
679	for (i = 0; i < found; i++) {
680	if (!oldEntries[i]) {
681	oldEntries[i] = ktprinc;
682	break;
683	}
684	if (!strcmp(oldEntries[i], ktprinc)) {
685	TALLOC_FREE(ktprinc);
686	break;
687	}
688	}
689	if (i == found) {
690	TALLOC_FREE(ktprinc);
691	}
692	}
693	smb_krb5_kt_free_entry(context, &kt_entry);
694	ZERO_STRUCT(kt_entry);
695	}
696	ret = 0;
697	for (i = 0; oldEntries[i]; i++) {
698	ret \|= ads_keytab_add_entry(ads, oldEntries[i]);
699	TALLOC_FREE(oldEntries[i]);
700	}
701	krb5_kt_end_seq_get(context, keytab, &cursor);
702	ZERO_STRUCT(cursor);
703
704	done:
705	TALLOC_FREE(oldEntries);
706	TALLOC_FREE(tmpctx);
707
708	{
709	krb5_keytab_entry zero_kt_entry;
710	ZERO_STRUCT(zero_kt_entry);
711	if (memcmp(&zero_kt_entry, &kt_entry,
712	sizeof(krb5_keytab_entry))) {
713	smb_krb5_kt_free_entry(context, &kt_entry);
714	}
715	}
716	{
717	krb5_kt_cursor zero_csr;
718	ZERO_STRUCT(zero_csr);
719	if ((memcmp(&cursor, &zero_csr,
720	sizeof(krb5_kt_cursor)) != 0) && keytab) {
721	krb5_kt_end_seq_get(context, keytab, &cursor);
722	}
723	}
724	if (keytab) {
725	krb5_kt_close(context, keytab);
726	}
727	if (context) {
728	krb5_free_context(context);
729	}
730	return ret;
731	}
732
733	/**********************************************************************
734	List system keytab.
735	***********************************************************************/
736
737	int ads_keytab_list(const char *keytab_name)
738	{
739	krb5_error_code ret = 0;
740	krb5_context context = NULL;
741	krb5_keytab keytab = NULL;
742	krb5_kt_cursor cursor;
743	krb5_keytab_entry kt_entry;
744
745	ZERO_STRUCT(kt_entry);
746	ZERO_STRUCT(cursor);
747
748	initialize_krb5_error_table();
749	ret = krb5_init_context(&context);
750	if (ret) {
751	DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
752	error_message(ret)));
753	return ret;
754	}
755
756	ret = smb_krb5_open_keytab(context, keytab_name, False, &keytab);
757	if (ret) {
758	DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
759	error_message(ret)));
760	goto out;
761	}
762
763	ret = krb5_kt_start_seq_get(context, keytab, &cursor);
764	if (ret) {
765	ZERO_STRUCT(cursor);
766	goto out;
767	}
768
769	printf("Vno Type Principal\n");
770
771	while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
772
773	char *princ_s = NULL;
774	char *etype_s = NULL;
775	krb5_enctype enctype = 0;
776
777	ret = smb_krb5_unparse_name(talloc_tos(), context,
778	kt_entry.principal, &princ_s);
779	if (ret) {
780	goto out;
781	}
782
783	enctype = smb_get_enctype_from_kt_entry(&kt_entry);
784
785	ret = smb_krb5_enctype_to_string(context, enctype, &etype_s);
786	if (ret &&
787	(asprintf(&etype_s, "UNKNOWN: %d\n", enctype) == -1)) {
788	TALLOC_FREE(princ_s);
789	goto out;
790	}
791
792	printf("%3d %s\t\t %s\n", kt_entry.vno, etype_s, princ_s);
793
794	TALLOC_FREE(princ_s);
795	SAFE_FREE(etype_s);
796
797	ret = smb_krb5_kt_free_entry(context, &kt_entry);
798	if (ret) {
799	goto out;
800	}
801	}
802
803	ret = krb5_kt_end_seq_get(context, keytab, &cursor);
804	if (ret) {
805	goto out;
806	}
807
808	/* Ensure we don't double free. */
809	ZERO_STRUCT(kt_entry);
810	ZERO_STRUCT(cursor);
811	out:
812
813	{
814	krb5_keytab_entry zero_kt_entry;
815	ZERO_STRUCT(zero_kt_entry);
816	if (memcmp(&zero_kt_entry, &kt_entry,
817	sizeof(krb5_keytab_entry))) {
818	smb_krb5_kt_free_entry(context, &kt_entry);
819	}
820	}
821	{
822	krb5_kt_cursor zero_csr;
823	ZERO_STRUCT(zero_csr);
824	if ((memcmp(&cursor, &zero_csr,
825	sizeof(krb5_kt_cursor)) != 0) && keytab) {
826	krb5_kt_end_seq_get(context, keytab, &cursor);
827	}
828	}
829
830	if (keytab) {
831	krb5_kt_close(context, keytab);
832	}
833	if (context) {
834	krb5_free_context(context);
835	}
836	return ret;
837	}
838
839	#endif /* HAVE_KRB5 */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: