summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-11-29 12:47:40 +1100
committerAndrew Bartlett <abartlet@samba.org>2011-11-29 09:20:54 +0100
commit2bff209128b85bd870ad36fa00ffcc92edbbab08 (patch)
tree751e775ca78eda99455f88f9e8057611150f76c5 /source4
parent8eef716598fa30b216ba144c74bcf5dfcfa870fd (diff)
downloadsamba-2bff209128b85bd870ad36fa00ffcc92edbbab08.tar.gz
samba-2bff209128b85bd870ad36fa00ffcc92edbbab08.tar.bz2
samba-2bff209128b85bd870ad36fa00ffcc92edbbab08.zip
s4-samba-tool: Add --principal argument to samba-tool domain exportkeytab
This allows only a particular principal to be exported to the keytab. This is useful when setting up unix servers in a Samba controlled domain. Based on a request by Gémes Géza <geza@kzsdabas.hu> Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Nov 29 09:20:55 CET 2011 on sn-devel-104
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/kerberos/keytab_copy.c195
-rw-r--r--source4/libnet/libnet_export_keytab.c22
-rw-r--r--source4/libnet/libnet_export_keytab.h1
-rw-r--r--source4/libnet/py_net.c8
-rw-r--r--source4/scripting/python/samba/netcmd/domain.py7
5 files changed, 163 insertions, 70 deletions
diff --git a/source4/auth/kerberos/keytab_copy.c b/source4/auth/kerberos/keytab_copy.c
index ba4ea2bf39..d823e0219d 100644
--- a/source4/auth/kerberos/keytab_copy.c
+++ b/source4/auth/kerberos/keytab_copy.c
@@ -1,6 +1,8 @@
/*
* Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
+ * Copyright (c) 2011 Andrew Bartlett
+ *
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -35,8 +37,6 @@
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
-static const krb5_boolean verbose_flag = FALSE;
-
static krb5_boolean
compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b)
{
@@ -47,90 +47,99 @@ compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b)
return TRUE;
}
+static krb5_error_code copy_one_entry(krb5_context context,
+ krb5_keytab src_keytab, krb5_keytab dst_keytab, krb5_keytab_entry entry)
+{
+ krb5_error_code ret;
+ krb5_keytab_entry dummy;
+
+ char *name_str;
+ char *etype_str;
+ ret = krb5_unparse_name (context, entry.principal, &name_str);
+ if(ret) {
+ krb5_set_error_message(context, ret, "krb5_unparse_name");
+ name_str = NULL; /* XXX */
+ return ret;
+ }
+ ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str);
+ if(ret) {
+ krb5_set_error_message(context, ret, "krb5_enctype_to_string");
+ etype_str = NULL; /* XXX */
+ return ret;
+ }
+ ret = krb5_kt_get_entry(context, dst_keytab,
+ entry.principal,
+ entry.vno,
+ entry.keyblock.keytype,
+ &dummy);
+ if(ret == 0) {
+ /* this entry is already in the new keytab, so no need to
+ copy it; if the keyblocks are not the same, something
+ is weird, so complain about that */
+ if(!compare_keyblock(&entry.keyblock, &dummy.keyblock)) {
+ krb5_warn(context, 0, "entry with different keyvalue "
+ "already exists for %s, keytype %s, kvno %d",
+ name_str, etype_str, entry.vno);
+ }
+ krb5_kt_free_entry(context, &dummy);
+ krb5_kt_free_entry (context, &entry);
+ free(name_str);
+ free(etype_str);
+ return ret;
+ } else if(ret != KRB5_KT_NOTFOUND) {
+ krb5_set_error_message (context, ret, "fetching %s/%s/%u",
+ name_str, etype_str, entry.vno);
+ krb5_kt_free_entry (context, &entry);
+ free(name_str);
+ free(etype_str);
+ return ret;
+ }
+ ret = krb5_kt_add_entry (context, dst_keytab, &entry);
+ krb5_kt_free_entry (context, &entry);
+ if (ret) {
+ krb5_set_error_message (context, ret, "adding %s/%s/%u",
+ name_str, etype_str, entry.vno);
+ free(name_str);
+ free(etype_str);
+ return ret;
+ }
+ free(name_str);
+ free(etype_str);
+ return ret;
+}
+
krb5_error_code kt_copy (krb5_context context, const char *from, const char *to)
{
krb5_error_code ret;
krb5_keytab src_keytab, dst_keytab;
krb5_kt_cursor cursor;
- krb5_keytab_entry entry, dummy;
+ krb5_keytab_entry entry;
ret = krb5_kt_resolve (context, from, &src_keytab);
if (ret) {
- krb5_warn (context, ret, "resolving src keytab `%s'", from);
- return 1;
+ krb5_set_error_message (context, ret, "resolving src keytab `%s'", from);
+ return ret;
}
ret = krb5_kt_resolve (context, to, &dst_keytab);
if (ret) {
krb5_kt_close (context, src_keytab);
- krb5_warn (context, ret, "resolving dst keytab `%s'", to);
- return 1;
+ krb5_set_error_message (context, ret, "resolving dst keytab `%s'", to);
+ return ret;
}
ret = krb5_kt_start_seq_get (context, src_keytab, &cursor);
if (ret) {
- krb5_warn (context, ret, "krb5_kt_start_seq_get %s", from);
+ krb5_set_error_message (context, ret, "krb5_kt_start_seq_get %s", from);
goto out;
}
- if (verbose_flag)
- fprintf(stderr, "copying %s to %s\n", from, to);
-
while((ret = krb5_kt_next_entry(context, src_keytab,
&entry, &cursor)) == 0) {
- char *name_str;
- char *etype_str;
- ret = krb5_unparse_name (context, entry.principal, &name_str);
- if(ret) {
- krb5_warn(context, ret, "krb5_unparse_name");
- name_str = NULL; /* XXX */
- }
- ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str);
- if(ret) {
- krb5_warn(context, ret, "krb5_enctype_to_string");
- etype_str = NULL; /* XXX */
- }
- ret = krb5_kt_get_entry(context, dst_keytab,
- entry.principal,
- entry.vno,
- entry.keyblock.keytype,
- &dummy);
- if(ret == 0) {
- /* this entry is already in the new keytab, so no need to
- copy it; if the keyblocks are not the same, something
- is weird, so complain about that */
- if(!compare_keyblock(&entry.keyblock, &dummy.keyblock)) {
- krb5_warnx(context, "entry with different keyvalue "
- "already exists for %s, keytype %s, kvno %d",
- name_str, etype_str, entry.vno);
- }
- krb5_kt_free_entry(context, &dummy);
- krb5_kt_free_entry (context, &entry);
- free(name_str);
- free(etype_str);
- continue;
- } else if(ret != KRB5_KT_NOTFOUND) {
- krb5_warn (context, ret, "%s: fetching %s/%s/%u",
- to, name_str, etype_str, entry.vno);
- krb5_kt_free_entry (context, &entry);
- free(name_str);
- free(etype_str);
- break;
- }
- if (verbose_flag)
- fprintf (stderr, "copying %s, keytype %s, kvno %d\n", name_str,
- etype_str, entry.vno);
- ret = krb5_kt_add_entry (context, dst_keytab, &entry);
- krb5_kt_free_entry (context, &entry);
+ ret = copy_one_entry(context, src_keytab, dst_keytab, entry);
if (ret) {
- krb5_warn (context, ret, "%s: adding %s/%s/%u",
- to, name_str, etype_str, entry.vno);
- free(name_str);
- free(etype_str);
break;
}
- free(name_str);
- free(etype_str);
}
krb5_kt_end_seq_get (context, src_keytab, &cursor);
@@ -144,3 +153,67 @@ krb5_error_code kt_copy (krb5_context context, const char *from, const char *to)
}
return ret;
}
+
+krb5_error_code kt_copy_one_principal (krb5_context context, const char *from, const char *to,
+ const char *principal, krb5_kvno kvno, krb5_enctype *enctypes)
+{
+ krb5_error_code ret;
+ krb5_keytab src_keytab, dst_keytab;
+ krb5_keytab_entry entry;
+ krb5_principal princ;
+ int i;
+ bool found_one = false;
+
+ ret = krb5_parse_name (context, principal, &princ);
+ if(ret) {
+ krb5_set_error_message(context, ret, "krb5_unparse_name");
+ return ret;
+ }
+
+ ret = krb5_kt_resolve (context, from, &src_keytab);
+ if (ret) {
+ krb5_set_error_message(context, ret, "resolving src keytab `%s'", from);
+ return ret;
+ }
+
+ ret = krb5_kt_resolve (context, to, &dst_keytab);
+ if (ret) {
+ krb5_kt_close (context, src_keytab);
+ krb5_set_error_message(context, ret, "resolving dst keytab `%s'", to);
+ return ret;
+ }
+
+ for (i=0; enctypes[i]; i++) {
+ ret = krb5_kt_get_entry(context, src_keytab,
+ princ,
+ kvno,
+ enctypes[i],
+ &entry);
+ if (ret == KRB5_KT_NOTFOUND) {
+ continue;
+ } else if (ret) {
+ break;
+ }
+ found_one = true;
+ ret = copy_one_entry(context, src_keytab, dst_keytab, entry);
+ if (ret) {
+ break;
+ }
+ }
+ if (ret == KRB5_KT_NOTFOUND) {
+ if (!found_one) {
+ char *princ_string;
+ int ret2 = krb5_unparse_name (context, princ, &princ_string);
+ if (ret2) {
+ krb5_set_error_message(context, ret, "failed to fetch principal %s", princ_string);
+ }
+ } else {
+ /* Not finding an enc type is not an error, as long as we copied one for the principal */
+ ret = 0;
+ }
+ }
+
+ krb5_kt_close (context, src_keytab);
+ krb5_kt_close (context, dst_keytab);
+ return ret;
+}
diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c
index e8a0a1321d..2dae370b1a 100644
--- a/source4/libnet/libnet_export_keytab.c
+++ b/source4/libnet/libnet_export_keytab.c
@@ -45,13 +45,29 @@ NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, s
return NT_STATUS_NO_MEMORY;
}
- unlink(r->in.keytab_name);
+ if (r->in.principal) {
+ /* TODO: Find a way not to have to use a fixed list */
+ krb5_enctype enctypes[] = {
+ KRB5_ENCTYPE_DES_CBC_CRC,
+ KRB5_ENCTYPE_DES_CBC_MD5,
+ KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
+ };
+ ret = kt_copy_one_principal(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name, r->in.principal, 0, enctypes);
+ } else {
+ unlink(r->in.keytab_name);
+ ret = kt_copy(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name);
+ }
- ret = kt_copy(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name);
if(ret) {
r->out.error_string = smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx);
- return NT_STATUS_UNSUCCESSFUL;
+ if (ret == KRB5_KT_NOTFOUND) {
+ return NT_STATUS_NO_SUCH_USER;
+ } else {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
}
return NT_STATUS_OK;
}
diff --git a/source4/libnet/libnet_export_keytab.h b/source4/libnet/libnet_export_keytab.h
index 194f8907a3..289d19c7a6 100644
--- a/source4/libnet/libnet_export_keytab.h
+++ b/source4/libnet/libnet_export_keytab.h
@@ -20,6 +20,7 @@
struct libnet_export_keytab {
struct {
const char *keytab_name;
+ const char *principal;
} in;
struct {
const char *error_string;
diff --git a/source4/libnet/py_net.c b/source4/libnet/py_net.c
index 7c90572e12..cf37ccc380 100644
--- a/source4/libnet/py_net.c
+++ b/source4/libnet/py_net.c
@@ -188,11 +188,13 @@ static PyObject *py_net_export_keytab(py_net_Object *self, PyObject *args, PyObj
{
struct libnet_export_keytab r;
TALLOC_CTX *mem_ctx;
- const char *kwnames[] = { "keytab", NULL };
+ const char *kwnames[] = { "keytab", "principal", NULL };
NTSTATUS status;
+ r.in.principal = NULL;
- if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s:export_keytab", discard_const_p(char *, kwnames),
- &r.in.keytab_name)) {
+ if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s|z:export_keytab", discard_const_p(char *, kwnames),
+ &r.in.keytab_name,
+ &r.in.principal)) {
return NULL;
}
diff --git a/source4/scripting/python/samba/netcmd/domain.py b/source4/scripting/python/samba/netcmd/domain.py
index a41a9d6734..88d0d70320 100644
--- a/source4/scripting/python/samba/netcmd/domain.py
+++ b/source4/scripting/python/samba/netcmd/domain.py
@@ -66,14 +66,15 @@ class cmd_domain_export_keytab(Command):
synopsis = "%prog <keytab> [options]"
takes_options = [
+ Option("--principal", help="extract only this principal", type=str),
]
takes_args = ["keytab"]
- def run(self, keytab, credopts=None, sambaopts=None, versionopts=None):
+ def run(self, keytab, credopts=None, sambaopts=None, versionopts=None, principal=None):
lp = sambaopts.get_loadparm()
- net = Net(None, lp, server=credopts.ipaddress)
- net.export_keytab(keytab=keytab)
+ net = Net(None, lp)
+ net.export_keytab(keytab=keytab, principal=principal)
class cmd_domain_info(Command):
"""Print basic info about a domain and the DC passed as parameter"""