s4:kerberos Add 'net export keytab' command for wireshark decryption

It is much easier to do decryption with wireshark when the keytab is
available for every host in the domain.  Running 'net export keytab
<keytab name>' will export the current (as pointed to by the supplied
smb.conf) local Samba4 doamin.

(This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4,
and so has a good chance of keeping working in the long term).

Andrew Bartlett

4 files changed, 85 insertions, 2 deletions

diff --git a/source4/libnet/config.mk b/source4/libnet/config.mk
index 07d5434ebf..eede8c871d 100644
--- a/source4/libnet/config.mk
+++ b/source4/libnet/config.mk
@@ -1,5 +1,5 @@
 [SUBSYSTEM::LIBSAMBA-NET]
-PUBLIC_DEPENDENCIES = CREDENTIALS dcerpc dcerpc_samr RPC_NDR_LSA RPC_NDR_SRVSVC RPC_NDR_DRSUAPI LIBCLI_COMPOSITE LIBCLI_RESOLVE LIBCLI_FINDDCS LIBCLI_CLDAP LIBCLI_FINDDCS gensec_schannel LIBCLI_AUTH LIBNDR SMBPASSWD PROVISION LIBCLI_SAMSYNC
+PUBLIC_DEPENDENCIES = CREDENTIALS dcerpc dcerpc_samr RPC_NDR_LSA RPC_NDR_SRVSVC RPC_NDR_DRSUAPI LIBCLI_COMPOSITE LIBCLI_RESOLVE LIBCLI_FINDDCS LIBCLI_CLDAP LIBCLI_FINDDCS gensec_schannel LIBCLI_AUTH LIBNDR SMBPASSWD PROVISION LIBCLI_SAMSYNC HDB_SAMBA4
 
 LIBSAMBA-NET_OBJ_FILES = $(addprefix $(libnetsrcdir)/, \
 	libnet.o libnet_passwd.o libnet_time.o libnet_rpc.o \
@@ -7,7 +7,7 @@ LIBSAMBA-NET_OBJ_FILES = $(addprefix $(libnetsrcdir)/, \
 	libnet_vampire.o libnet_samdump.o libnet_samdump_keytab.o \
 	libnet_samsync_ldb.o libnet_user.o libnet_group.o libnet_share.o \
 	libnet_lookup.o libnet_domain.o userinfo.o groupinfo.o userman.o \
-	groupman.o prereq_domain.o libnet_samsync.o)
+	groupman.o prereq_domain.o libnet_samsync.o libnet_export_keytab.o)
 
 $(eval $(call proto_header_template,$(libnetsrcdir)/libnet_proto.h,$(LIBSAMBA-NET_OBJ_FILES:.o=.c)))
 
diff --git a/source4/libnet/libnet.h b/source4/libnet/libnet.h
index 543a131806..9964a3f526 100644
--- a/source4/libnet/libnet.h
+++ b/source4/libnet/libnet.h
@@ -75,4 +75,5 @@ struct libnet_context {
 #include "libnet/libnet_share.h"
 #include "libnet/libnet_lookup.h"
 #include "libnet/libnet_domain.h"
+#include "libnet/libnet_export_keytab.h"
 #include "libnet/libnet_proto.h"
diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c
new file mode 100644
index 0000000000..43fd0aa30e
--- /dev/null
+++ b/source4/libnet/libnet_export_keytab.c
@@ -0,0 +1,54 @@
+#include "includes.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include <hdb.h>
+#include "kdc/hdb-samba4.h"
+#include "auth/kerberos/keytab_copy.h"
+#include "libnet/libnet.h"
+
+NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_export_keytab *r)
+{
+	krb5_error_code ret;
+	struct smb_krb5_context *smb_krb5_context;
+	const char *from_keytab;
+
+	/* Register hdb-samba4 hooks for use as a keytab */
+
+	struct hdb_samba4_context *hdb_samba4_context = talloc(mem_ctx, struct hdb_samba4_context);
+	if (!hdb_samba4_context) {
+		return NT_STATUS_NO_MEMORY; 
+	}
+
+	hdb_samba4_context->ev_ctx = ctx->event_ctx;
+	hdb_samba4_context->lp_ctx = ctx->lp_ctx;
+
+	from_keytab = talloc_asprintf(hdb_samba4_context, "HDB:samba4&%p", hdb_samba4_context);
+	if (!from_keytab) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	ret = smb_krb5_init_context(ctx, ctx->event_ctx, ctx->lp_ctx, &smb_krb5_context);
+	if (ret) {
+		return NT_STATUS_NO_MEMORY; 
+	}
+
+	ret = krb5_plugin_register(smb_krb5_context->krb5_context, 
+				   PLUGIN_TYPE_DATA, "hdb",
+				   &hdb_samba4);
+	if(ret) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	ret = krb5_kt_register(smb_krb5_context->krb5_context, &hdb_kt_ops);
+	if(ret) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	ret = kt_copy(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name);
+	if(ret) {
+		r->out.error_string = smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+								 ret, mem_ctx);
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+	return NT_STATUS_OK;
+}
diff --git a/source4/libnet/libnet_export_keytab.h b/source4/libnet/libnet_export_keytab.h
new file mode 100644
index 0000000000..194f8907a3
--- /dev/null
+++ b/source4/libnet/libnet_export_keytab.h
@@ -0,0 +1,28 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2009
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+struct libnet_export_keytab {
+	struct {
+		const char *keytab_name;
+	} in;
+	struct {
+		const char *error_string;
+	} out;
+};
+