summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-12-21 22:02:52 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:47:35 -0500
commit221c1512a8b4de9a568c0a0cdafa97ab5c53368c (patch)
treea3c696e37929ef2b758ba9466a07b0779b659b61 /source4/auth
parentf45b0ff698414f4fcdb49f1324ebfc5576f785ae (diff)
downloadsamba-221c1512a8b4de9a568c0a0cdafa97ab5c53368c.tar.gz
samba-221c1512a8b4de9a568c0a0cdafa97ab5c53368c.tar.bz2
samba-221c1512a8b4de9a568c0a0cdafa97ab5c53368c.zip
r12411: Add 'net samdump keytab <keytab>'.
This extracts a remote windows domain into a keytab, suitable for use in ethereal for kerberos decryption. For the moment, like net samdump and net samsync, the 'password server' smb.conf option must be set to the binding string for the server. eg: password server = ncacn_np:mypdc Andrew Bartlett (This used to be commit 272013438f53bb168f74e09eb70fc96112b84772)
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/credentials/credentials_files.c4
-rw-r--r--source4/auth/credentials/credentials_krb5.c27
-rw-r--r--source4/auth/kerberos/kerberos_util.c58
3 files changed, 45 insertions, 44 deletions
diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c
index 1f7a7cf435..8d84e8cdb5 100644
--- a/source4/auth/credentials/credentials_files.c
+++ b/source4/auth/credentials/credentials_files.c
@@ -301,13 +301,13 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
* (chewing CPU time) from the password */
keytab = ldb_msg_find_string(msgs[0], "krb5Keytab", NULL);
if (keytab) {
- cli_credentials_set_keytab(cred, keytab, CRED_SPECIFIED);
+ cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED);
} else {
keytab = ldb_msg_find_string(msgs[0], "privateKeytab", NULL);
if (keytab) {
keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, keytab));
if (keytab) {
- cli_credentials_set_keytab(cred, keytab, CRED_SPECIFIED);
+ cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED);
}
}
}
diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c
index 173739e9b8..5f40ca1046 100644
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -398,7 +398,7 @@ int cli_credentials_get_keytab(struct cli_credentials *cred,
return ENOMEM;
}
- ret = create_memory_keytab(mem_ctx, cred, smb_krb5_context, &ktc);
+ ret = smb_krb5_create_memory_keytab(mem_ctx, cred, smb_krb5_context, &ktc);
if (ret) {
talloc_free(mem_ctx);
return ret;
@@ -417,14 +417,13 @@ int cli_credentials_get_keytab(struct cli_credentials *cred,
/* Given the name of a keytab (presumably in the format
* FILE:/etc/krb5.keytab), open it and attach it */
-int cli_credentials_set_keytab(struct cli_credentials *cred,
- const char *keytab_name,
- enum credentials_obtained obtained)
+int cli_credentials_set_keytab_name(struct cli_credentials *cred,
+ const char *keytab_name,
+ enum credentials_obtained obtained)
{
krb5_error_code ret;
struct keytab_container *ktc;
struct smb_krb5_context *smb_krb5_context;
- krb5_keytab keytab;
TALLOC_CTX *mem_ctx;
if (cred->keytab_obtained >= obtained) {
@@ -441,24 +440,12 @@ int cli_credentials_set_keytab(struct cli_credentials *cred,
return ENOMEM;
}
- ret = krb5_kt_resolve(smb_krb5_context->krb5_context, keytab_name, &keytab);
+ ret = smb_krb5_open_keytab(mem_ctx, smb_krb5_context,
+ keytab_name, &ktc);
if (ret) {
- DEBUG(1,("failed to open krb5 keytab: %s\n",
- smb_get_krb5_error_message(smb_krb5_context->krb5_context,
- ret, mem_ctx)));
- talloc_free(mem_ctx);
return ret;
}
- ktc = talloc(mem_ctx, struct keytab_container);
- if (!ktc) {
- talloc_free(mem_ctx);
- return ENOMEM;
- }
-
- ktc->smb_krb5_context = talloc_reference(ktc, smb_krb5_context);
- ktc->keytab = keytab;
-
cred->keytab_obtained = obtained;
talloc_steal(cred, ktc);
@@ -492,7 +479,7 @@ int cli_credentials_update_keytab(struct cli_credentials *cred)
return ret;
}
- ret = update_keytab(mem_ctx, cred, smb_krb5_context, ktc);
+ ret = smb_krb5_update_keytab(mem_ctx, cred, smb_krb5_context, ktc);
talloc_free(mem_ctx);
return ret;
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index a9ea6f9db3..d8c650b098 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -226,6 +226,32 @@ static int free_keytab(void *ptr) {
return 0;
}
+int smb_krb5_open_keytab(TALLOC_CTX *mem_ctx,
+ struct smb_krb5_context *smb_krb5_context,
+ const char *keytab_name, struct keytab_container **ktc)
+{
+ krb5_keytab keytab;
+ int ret;
+ ret = krb5_kt_resolve(smb_krb5_context->krb5_context, keytab_name, &keytab);
+ if (ret) {
+ DEBUG(1,("failed to open krb5 keytab: %s\n",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ ret, mem_ctx)));
+ return ret;
+ }
+
+ *ktc = talloc(mem_ctx, struct keytab_container);
+ if (!*ktc) {
+ return ENOMEM;
+ }
+
+ (*ktc)->smb_krb5_context = talloc_reference(*ktc, smb_krb5_context);
+ (*ktc)->keytab = keytab;
+ talloc_set_destructor(*ktc, free_keytab);
+
+ return 0;
+}
+
struct enctypes_container {
struct smb_krb5_context *smb_krb5_context;
krb5_enctype *enctypes;
@@ -574,10 +600,10 @@ static krb5_error_code remove_old_entries(TALLOC_CTX *parent_ctx,
return ret;
}
-int update_keytab(TALLOC_CTX *parent_ctx,
- struct cli_credentials *machine_account,
- struct smb_krb5_context *smb_krb5_context,
- struct keytab_container *keytab_container)
+int smb_krb5_update_keytab(TALLOC_CTX *parent_ctx,
+ struct cli_credentials *machine_account,
+ struct smb_krb5_context *smb_krb5_context,
+ struct keytab_container *keytab_container)
{
krb5_error_code ret;
BOOL found_previous;
@@ -604,16 +630,15 @@ int update_keytab(TALLOC_CTX *parent_ctx,
return ret;
}
-int create_memory_keytab(TALLOC_CTX *parent_ctx,
- struct cli_credentials *machine_account,
- struct smb_krb5_context *smb_krb5_context,
- struct keytab_container **keytab_container)
+int smb_krb5_create_memory_keytab(TALLOC_CTX *parent_ctx,
+ struct cli_credentials *machine_account,
+ struct smb_krb5_context *smb_krb5_context,
+ struct keytab_container **keytab_container)
{
krb5_error_code ret;
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
const char *rand_string;
const char *keytab_name;
- krb5_keytab keytab;
if (!mem_ctx) {
return ENOMEM;
}
@@ -633,23 +658,12 @@ int create_memory_keytab(TALLOC_CTX *parent_ctx,
return ENOMEM;
}
- /* Find the keytab */
- ret = krb5_kt_resolve(smb_krb5_context->krb5_context, keytab_name, &keytab);
+ ret = smb_krb5_open_keytab(mem_ctx, smb_krb5_context, keytab_name, keytab_container);
if (ret) {
- DEBUG(1,("failed to resolve keytab: %s: %s\n",
- keytab_name,
- smb_get_krb5_error_message(smb_krb5_context->krb5_context,
- ret, mem_ctx)));
- talloc_free(mem_ctx);
return ret;
}
- (*keytab_container)->smb_krb5_context = talloc_reference(*keytab_container, smb_krb5_context);
- (*keytab_container)->keytab = keytab;
-
- talloc_set_destructor(*keytab_container, free_keytab);
-
- ret = update_keytab(mem_ctx, machine_account, smb_krb5_context, *keytab_container);
+ ret = smb_krb5_update_keytab(mem_ctx, machine_account, smb_krb5_context, *keytab_container);
if (ret == 0) {
talloc_steal(parent_ctx, *keytab_container);
} else {