summaryrefslogtreecommitdiff
path: root/source4/libnet
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2009-07-27 22:04:26 +1000
committerAndrew Bartlett <abartlet@samba.org>2009-07-28 08:52:43 +1000
commit47a7a2e442c7e006eca8188c6a01707d85c4e61c (patch)
tree9f2b209c59230b1a6a84b0ac93fdf4defb71cd27 /source4/libnet
parent9297b975f58a6c8a8609e05d0bed7b4846a2be32 (diff)
downloadsamba-47a7a2e442c7e006eca8188c6a01707d85c4e61c.tar.gz
samba-47a7a2e442c7e006eca8188c6a01707d85c4e61c.tar.bz2
samba-47a7a2e442c7e006eca8188c6a01707d85c4e61c.zip
s4:kerberos Add 'net export keytab' command for wireshark decryption
It is much easier to do decryption with wireshark when the keytab is available for every host in the domain. Running 'net export keytab <keytab name>' will export the current (as pointed to by the supplied smb.conf) local Samba4 doamin. (This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4, and so has a good chance of keeping working in the long term). Andrew Bartlett
Diffstat (limited to 'source4/libnet')
-rw-r--r--source4/libnet/config.mk4
-rw-r--r--source4/libnet/libnet.h1
-rw-r--r--source4/libnet/libnet_export_keytab.c53
-rw-r--r--source4/libnet/libnet_export_keytab.h28
4 files changed, 84 insertions, 2 deletions
diff --git a/source4/libnet/config.mk b/source4/libnet/config.mk
index 07d5434ebf..eede8c871d 100644
--- a/source4/libnet/config.mk
+++ b/source4/libnet/config.mk
@@ -1,5 +1,5 @@
[SUBSYSTEM::LIBSAMBA-NET]
-PUBLIC_DEPENDENCIES = CREDENTIALS dcerpc dcerpc_samr RPC_NDR_LSA RPC_NDR_SRVSVC RPC_NDR_DRSUAPI LIBCLI_COMPOSITE LIBCLI_RESOLVE LIBCLI_FINDDCS LIBCLI_CLDAP LIBCLI_FINDDCS gensec_schannel LIBCLI_AUTH LIBNDR SMBPASSWD PROVISION LIBCLI_SAMSYNC
+PUBLIC_DEPENDENCIES = CREDENTIALS dcerpc dcerpc_samr RPC_NDR_LSA RPC_NDR_SRVSVC RPC_NDR_DRSUAPI LIBCLI_COMPOSITE LIBCLI_RESOLVE LIBCLI_FINDDCS LIBCLI_CLDAP LIBCLI_FINDDCS gensec_schannel LIBCLI_AUTH LIBNDR SMBPASSWD PROVISION LIBCLI_SAMSYNC HDB_SAMBA4
LIBSAMBA-NET_OBJ_FILES = $(addprefix $(libnetsrcdir)/, \
libnet.o libnet_passwd.o libnet_time.o libnet_rpc.o \
@@ -7,7 +7,7 @@ LIBSAMBA-NET_OBJ_FILES = $(addprefix $(libnetsrcdir)/, \
libnet_vampire.o libnet_samdump.o libnet_samdump_keytab.o \
libnet_samsync_ldb.o libnet_user.o libnet_group.o libnet_share.o \
libnet_lookup.o libnet_domain.o userinfo.o groupinfo.o userman.o \
- groupman.o prereq_domain.o libnet_samsync.o)
+ groupman.o prereq_domain.o libnet_samsync.o libnet_export_keytab.o)
$(eval $(call proto_header_template,$(libnetsrcdir)/libnet_proto.h,$(LIBSAMBA-NET_OBJ_FILES:.o=.c)))
diff --git a/source4/libnet/libnet.h b/source4/libnet/libnet.h
index 543a131806..9964a3f526 100644
--- a/source4/libnet/libnet.h
+++ b/source4/libnet/libnet.h
@@ -75,4 +75,5 @@ struct libnet_context {
#include "libnet/libnet_share.h"
#include "libnet/libnet_lookup.h"
#include "libnet/libnet_domain.h"
+#include "libnet/libnet_export_keytab.h"
#include "libnet/libnet_proto.h"
diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c
new file mode 100644
index 0000000000..a7006b4bf9
--- /dev/null
+++ b/source4/libnet/libnet_export_keytab.c
@@ -0,0 +1,53 @@
+#include "includes.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include <hdb.h>
+#include "kdc/hdb-samba4.h"
+#include "libnet/libnet.h"
+
+NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_export_keytab *r)
+{
+ krb5_error_code ret;
+ struct smb_krb5_context *smb_krb5_context;
+ const char *from_keytab;
+
+ /* Register hdb-samba4 hooks for use as a keytab */
+
+ struct hdb_samba4_context *hdb_samba4_context = talloc(mem_ctx, struct hdb_samba4_context);
+ if (!hdb_samba4_context) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ hdb_samba4_context->ev_ctx = ctx->event_ctx;
+ hdb_samba4_context->lp_ctx = ctx->lp_ctx;
+
+ from_keytab = talloc_asprintf(hdb_samba4_context, "HDB:samba4&%p", hdb_samba4_context);
+ if (!from_keytab) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ret = smb_krb5_init_context(ctx, ctx->event_ctx, ctx->lp_ctx, &smb_krb5_context);
+ if (ret) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ret = krb5_plugin_register(smb_krb5_context->krb5_context,
+ PLUGIN_TYPE_DATA, "hdb",
+ &hdb_samba4);
+ if(ret) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ret = krb5_kt_register(smb_krb5_context->krb5_context, &hdb_kt_ops);
+ if(ret) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ret = kt_copy(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name);
+ if(ret) {
+ r->out.error_string = smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ ret, mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ return NT_STATUS_OK;
+}
diff --git a/source4/libnet/libnet_export_keytab.h b/source4/libnet/libnet_export_keytab.h
new file mode 100644
index 0000000000..194f8907a3
--- /dev/null
+++ b/source4/libnet/libnet_export_keytab.h
@@ -0,0 +1,28 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+struct libnet_export_keytab {
+ struct {
+ const char *keytab_name;
+ } in;
+ struct {
+ const char *error_string;
+ } out;
+};
+