summaryrefslogtreecommitdiff
path: root/source4/auth/kerberos
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-11-29 12:47:40 +1100
committerAndrew Bartlett <abartlet@samba.org>2011-11-29 09:20:54 +0100
commit2bff209128b85bd870ad36fa00ffcc92edbbab08 (patch)
tree751e775ca78eda99455f88f9e8057611150f76c5 /source4/auth/kerberos
parent8eef716598fa30b216ba144c74bcf5dfcfa870fd (diff)
downloadsamba-2bff209128b85bd870ad36fa00ffcc92edbbab08.tar.gz
samba-2bff209128b85bd870ad36fa00ffcc92edbbab08.tar.bz2
samba-2bff209128b85bd870ad36fa00ffcc92edbbab08.zip
s4-samba-tool: Add --principal argument to samba-tool domain exportkeytab
This allows only a particular principal to be exported to the keytab. This is useful when setting up unix servers in a Samba controlled domain. Based on a request by Gémes Géza <geza@kzsdabas.hu> Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Nov 29 09:20:55 CET 2011 on sn-devel-104
Diffstat (limited to 'source4/auth/kerberos')
-rw-r--r--source4/auth/kerberos/keytab_copy.c195
1 files changed, 134 insertions, 61 deletions
diff --git a/source4/auth/kerberos/keytab_copy.c b/source4/auth/kerberos/keytab_copy.c
index ba4ea2bf39..d823e0219d 100644
--- a/source4/auth/kerberos/keytab_copy.c
+++ b/source4/auth/kerberos/keytab_copy.c
@@ -1,6 +1,8 @@
/*
* Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
+ * Copyright (c) 2011 Andrew Bartlett
+ *
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -35,8 +37,6 @@
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
-static const krb5_boolean verbose_flag = FALSE;
-
static krb5_boolean
compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b)
{
@@ -47,90 +47,99 @@ compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b)
return TRUE;
}
+static krb5_error_code copy_one_entry(krb5_context context,
+ krb5_keytab src_keytab, krb5_keytab dst_keytab, krb5_keytab_entry entry)
+{
+ krb5_error_code ret;
+ krb5_keytab_entry dummy;
+
+ char *name_str;
+ char *etype_str;
+ ret = krb5_unparse_name (context, entry.principal, &name_str);
+ if(ret) {
+ krb5_set_error_message(context, ret, "krb5_unparse_name");
+ name_str = NULL; /* XXX */
+ return ret;
+ }
+ ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str);
+ if(ret) {
+ krb5_set_error_message(context, ret, "krb5_enctype_to_string");
+ etype_str = NULL; /* XXX */
+ return ret;
+ }
+ ret = krb5_kt_get_entry(context, dst_keytab,
+ entry.principal,
+ entry.vno,
+ entry.keyblock.keytype,
+ &dummy);
+ if(ret == 0) {
+ /* this entry is already in the new keytab, so no need to
+ copy it; if the keyblocks are not the same, something
+ is weird, so complain about that */
+ if(!compare_keyblock(&entry.keyblock, &dummy.keyblock)) {
+ krb5_warn(context, 0, "entry with different keyvalue "
+ "already exists for %s, keytype %s, kvno %d",
+ name_str, etype_str, entry.vno);
+ }
+ krb5_kt_free_entry(context, &dummy);
+ krb5_kt_free_entry (context, &entry);
+ free(name_str);
+ free(etype_str);
+ return ret;
+ } else if(ret != KRB5_KT_NOTFOUND) {
+ krb5_set_error_message (context, ret, "fetching %s/%s/%u",
+ name_str, etype_str, entry.vno);
+ krb5_kt_free_entry (context, &entry);
+ free(name_str);
+ free(etype_str);
+ return ret;
+ }
+ ret = krb5_kt_add_entry (context, dst_keytab, &entry);
+ krb5_kt_free_entry (context, &entry);
+ if (ret) {
+ krb5_set_error_message (context, ret, "adding %s/%s/%u",
+ name_str, etype_str, entry.vno);
+ free(name_str);
+ free(etype_str);
+ return ret;
+ }
+ free(name_str);
+ free(etype_str);
+ return ret;
+}
+
krb5_error_code kt_copy (krb5_context context, const char *from, const char *to)
{
krb5_error_code ret;
krb5_keytab src_keytab, dst_keytab;
krb5_kt_cursor cursor;
- krb5_keytab_entry entry, dummy;
+ krb5_keytab_entry entry;
ret = krb5_kt_resolve (context, from, &src_keytab);
if (ret) {
- krb5_warn (context, ret, "resolving src keytab `%s'", from);
- return 1;
+ krb5_set_error_message (context, ret, "resolving src keytab `%s'", from);
+ return ret;
}
ret = krb5_kt_resolve (context, to, &dst_keytab);
if (ret) {
krb5_kt_close (context, src_keytab);
- krb5_warn (context, ret, "resolving dst keytab `%s'", to);
- return 1;
+ krb5_set_error_message (context, ret, "resolving dst keytab `%s'", to);
+ return ret;
}
ret = krb5_kt_start_seq_get (context, src_keytab, &cursor);
if (ret) {
- krb5_warn (context, ret, "krb5_kt_start_seq_get %s", from);
+ krb5_set_error_message (context, ret, "krb5_kt_start_seq_get %s", from);
goto out;
}
- if (verbose_flag)
- fprintf(stderr, "copying %s to %s\n", from, to);
-
while((ret = krb5_kt_next_entry(context, src_keytab,
&entry, &cursor)) == 0) {
- char *name_str;
- char *etype_str;
- ret = krb5_unparse_name (context, entry.principal, &name_str);
- if(ret) {
- krb5_warn(context, ret, "krb5_unparse_name");
- name_str = NULL; /* XXX */
- }
- ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str);
- if(ret) {
- krb5_warn(context, ret, "krb5_enctype_to_string");
- etype_str = NULL; /* XXX */
- }
- ret = krb5_kt_get_entry(context, dst_keytab,
- entry.principal,
- entry.vno,
- entry.keyblock.keytype,
- &dummy);
- if(ret == 0) {
- /* this entry is already in the new keytab, so no need to
- copy it; if the keyblocks are not the same, something
- is weird, so complain about that */
- if(!compare_keyblock(&entry.keyblock, &dummy.keyblock)) {
- krb5_warnx(context, "entry with different keyvalue "
- "already exists for %s, keytype %s, kvno %d",
- name_str, etype_str, entry.vno);
- }
- krb5_kt_free_entry(context, &dummy);
- krb5_kt_free_entry (context, &entry);
- free(name_str);
- free(etype_str);
- continue;
- } else if(ret != KRB5_KT_NOTFOUND) {
- krb5_warn (context, ret, "%s: fetching %s/%s/%u",
- to, name_str, etype_str, entry.vno);
- krb5_kt_free_entry (context, &entry);
- free(name_str);
- free(etype_str);
- break;
- }
- if (verbose_flag)
- fprintf (stderr, "copying %s, keytype %s, kvno %d\n", name_str,
- etype_str, entry.vno);
- ret = krb5_kt_add_entry (context, dst_keytab, &entry);
- krb5_kt_free_entry (context, &entry);
+ ret = copy_one_entry(context, src_keytab, dst_keytab, entry);
if (ret) {
- krb5_warn (context, ret, "%s: adding %s/%s/%u",
- to, name_str, etype_str, entry.vno);
- free(name_str);
- free(etype_str);
break;
}
- free(name_str);
- free(etype_str);
}
krb5_kt_end_seq_get (context, src_keytab, &cursor);
@@ -144,3 +153,67 @@ krb5_error_code kt_copy (krb5_context context, const char *from, const char *to)
}
return ret;
}
+
+krb5_error_code kt_copy_one_principal (krb5_context context, const char *from, const char *to,
+ const char *principal, krb5_kvno kvno, krb5_enctype *enctypes)
+{
+ krb5_error_code ret;
+ krb5_keytab src_keytab, dst_keytab;
+ krb5_keytab_entry entry;
+ krb5_principal princ;
+ int i;
+ bool found_one = false;
+
+ ret = krb5_parse_name (context, principal, &princ);
+ if(ret) {
+ krb5_set_error_message(context, ret, "krb5_unparse_name");
+ return ret;
+ }
+
+ ret = krb5_kt_resolve (context, from, &src_keytab);
+ if (ret) {
+ krb5_set_error_message(context, ret, "resolving src keytab `%s'", from);
+ return ret;
+ }
+
+ ret = krb5_kt_resolve (context, to, &dst_keytab);
+ if (ret) {
+ krb5_kt_close (context, src_keytab);
+ krb5_set_error_message(context, ret, "resolving dst keytab `%s'", to);
+ return ret;
+ }
+
+ for (i=0; enctypes[i]; i++) {
+ ret = krb5_kt_get_entry(context, src_keytab,
+ princ,
+ kvno,
+ enctypes[i],
+ &entry);
+ if (ret == KRB5_KT_NOTFOUND) {
+ continue;
+ } else if (ret) {
+ break;
+ }
+ found_one = true;
+ ret = copy_one_entry(context, src_keytab, dst_keytab, entry);
+ if (ret) {
+ break;
+ }
+ }
+ if (ret == KRB5_KT_NOTFOUND) {
+ if (!found_one) {
+ char *princ_string;
+ int ret2 = krb5_unparse_name (context, princ, &princ_string);
+ if (ret2) {
+ krb5_set_error_message(context, ret, "failed to fetch principal %s", princ_string);
+ }
+ } else {
+ /* Not finding an enc type is not an error, as long as we copied one for the principal */
+ ret = 0;
+ }
+ }
+
+ krb5_kt_close (context, src_keytab);
+ krb5_kt_close (context, dst_keytab);
+ return ret;
+}