r16952: New derive DES salt code and Krb5 keytab generation

Major points of interest:

* Figure the DES salt based on the domain functional level
  and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
  keys
* Remove all the case permutations in the keytab entry
  generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
  in AD

The resulting keytab looks like:

ktutil:  list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   2    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   3    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
   4    6           host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   5    6           host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   6    6           host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
   7    6               suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   8    6               suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   9    6               suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)

The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value.  The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.

Tested keytab using mod_auth_krb and MIT's telnet.  ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
(This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)

1 files changed, 56 insertions, 15 deletions

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index bfbc80759a..99098dabdb 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -1030,6 +1030,61 @@ static ADS_STATUS net_precreate_machine_acct( ADS_STRUCT *ads, const char *ou )
 	return rc;
 }
 
+/************************************************************************
+ ************************************************************************/
+
+static BOOL net_derive_salting_principal( TALLOC_CTX *ctx, ADS_STRUCT *ads )
+{
+	uint32 domain_func;
+	ADS_STATUS status;
+	fstring salt;
+	char *std_salt;
+	LDAPMessage *res = NULL;
+	const char *machine_name = global_myname();
+
+	status = ads_domain_func_level( ads, &domain_func );
+	if ( !ADS_ERR_OK(status) ) {
+		DEBUG(2,("Failed to determine domain functional level!\n"));
+		return False;
+	}
+
+	/* go ahead and setup the default salt */
+
+	if ( (std_salt = kerberos_standard_des_salt()) == NULL ) {
+		DEBUG(0,("net_derive_salting_principal: failed to obtain stanard DES salt\n"));
+		return False;
+	}
+
+	fstrcpy( salt, std_salt );
+	SAFE_FREE( std_salt );
+	
+	/* if it's a Windows functional domain, we have to look for the UPN */
+	   
+	if ( domain_func == DS_DOMAIN_FUNCTION_2000 ) {	
+		char *upn;
+		int count;
+		
+		status = ads_find_machine_acct(ads, (void **)(void *)&res, machine_name);
+		if (!ADS_ERR_OK(status)) {
+			return False;
+		}
+		
+		if ( (count = ads_count_replies(ads, res)) != 1 ) {
+			DEBUG(1,("net_set_machine_spn: %d entries returned!\n", count));
+			return False;
+		}
+		
+		upn = ads_pull_string(ads, ctx, res, "userPrincipalName");
+		if ( upn ) {
+			fstrcpy( salt, upn );
+		}
+		
+		ads_msgfree(ads, res);
+	}
+
+	return kerberos_secrets_store_des_salt( salt );
+}
+
 /*******************************************************************
   join a domain using ADS (LDAP mods)
  ********************************************************************/
@@ -1140,30 +1195,16 @@ int net_ads_join(int argc, const char **argv)
 		/* don't fail */
 	}
 
-#if defined(HAVE_KRB5) 
-	if (asprintf(&machine_account, "%s$", global_myname()) == -1) {
-		d_fprintf(stderr, "asprintf failed\n");
-		ads_destroy(&ads);
-		return -1;
-	}
-
-	if (!kerberos_derive_salting_principal(machine_account)) {
+	if ( !net_derive_salting_principal( ctx, ads ) ) {
 		DEBUG(1,("Failed to determine salting principal\n"));
 		ads_destroy(&ads);
 		return -1;
 	}
 
-	if (!kerberos_derive_cifs_salting_principals()) {
-		DEBUG(1,("Failed to determine salting principals\n"));
-		ads_destroy(&ads);
-		return -1;
-	}
-	
 	/* Now build the keytab, using the same ADS connection */
 	if (lp_use_kerberos_keytab() && ads_keytab_create_default(ads)) {
 		DEBUG(1,("Error creating host keytab!\n"));
 	}
-#endif
 
 	d_printf("Joined '%s' to realm '%s'\n", global_myname(), ads->config.realm);