diff options
Diffstat (limited to 'source3/libads/kerberos_keytab.c')
-rw-r--r-- | source3/libads/kerberos_keytab.c | 391 |
1 files changed, 215 insertions, 176 deletions
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c index fc87b687d1..80d11d434b 100644 --- a/source3/libads/kerberos_keytab.c +++ b/source3/libads/kerberos_keytab.c @@ -9,6 +9,7 @@ Copyright (C) Rakesh Patel 2004 Copyright (C) Dan Perry 2004 Copyright (C) Jeremy Allison 2004 + Copyright (C) Gerald Carter 2006 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -29,120 +30,35 @@ #ifdef HAVE_KRB5 +/* This MAX_NAME_LEN is a constant defined in krb5.h */ +#ifndef MAX_KEYTAB_NAME_LEN +#define MAX_KEYTAB_NAME_LEN 1100 +#endif + + /********************************************************************** - Adds a single service principal, i.e. 'host' to the system keytab -***********************************************************************/ +**********************************************************************/ -int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) +static int smb_krb5_kt_add_entry( krb5_context context, krb5_keytab keytab, + krb5_kvno kvno, const char *princ_s, + krb5_enctype *enctypes, krb5_data password ) { krb5_error_code ret = 0; - krb5_context context = NULL; - krb5_keytab keytab = NULL; krb5_kt_cursor cursor; krb5_keytab_entry kt_entry; krb5_principal princ = NULL; - krb5_data password; - krb5_enctype *enctypes = NULL; - krb5_kvno kvno; - - char *principal = NULL; - char *princ_s = NULL; - char *password_s = NULL; -#ifndef MAX_KEYTAB_NAME_LEN -#define MAX_KEYTAB_NAME_LEN 1100 -#endif - char keytab_name[MAX_KEYTAB_NAME_LEN]; /* This MAX_NAME_LEN is a constant defined in krb5.h */ - fstring my_fqdn; int i; char *ktprinc = NULL; ZERO_STRUCT(kt_entry); ZERO_STRUCT(cursor); - - initialize_krb5_error_table(); - ret = krb5_init_context(&context); - if (ret) { - DEBUG(1,("ads_keytab_add_entry: could not krb5_init_context: %s\n",error_message(ret))); - return -1; - } -#ifdef HAVE_WRFILE_KEYTAB /* MIT */ - keytab_name[0] = 'W'; - keytab_name[1] = 'R'; - ret = krb5_kt_default_name(context, (char *) &keytab_name[2], MAX_KEYTAB_NAME_LEN - 4); -#else /* Heimdal */ - ret = krb5_kt_default_name(context, (char *) &keytab_name[0], MAX_KEYTAB_NAME_LEN - 2); -#endif - if (ret) { - DEBUG(1,("ads_keytab_add_entry: krb5_kt_default_name failed (%s)\n", error_message(ret))); - goto out; - } - DEBUG(2,("ads_keytab_add_entry: Using default system keytab: %s\n", (char *) &keytab_name)); - ret = krb5_kt_resolve(context, (char *) &keytab_name, &keytab); - if (ret) { - DEBUG(1,("ads_keytab_add_entry: krb5_kt_resolve failed (%s)\n", error_message(ret))); - goto out; - } - - /* retrieve the password */ - if (!secrets_init()) { - DEBUG(1,("ads_keytab_add_entry: secrets_init failed\n")); - ret = -1; - goto out; - } - password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); - if (!password_s) { - DEBUG(1,("ads_keytab_add_entry: failed to fetch machine password\n")); - ret = -1; - goto out; - } - password.data = password_s; - password.length = strlen(password_s); - - /* Construct our principal */ - name_to_fqdn(my_fqdn, global_myname()); - strlower_m(my_fqdn); - - if (strchr_m(srvPrinc, '@')) { - /* It's a fully-named principal. */ - asprintf(&princ_s, "%s", srvPrinc); - } else if (srvPrinc[strlen(srvPrinc)-1] == '$') { - /* It's the machine account, as used by smbclient clients. */ - asprintf(&princ_s, "%s@%s", srvPrinc, lp_realm()); - } else { - /* It's a normal service principal. Add the SPN now so that we - * can obtain credentials for it and double-check the salt value - * used to generate the service's keys. */ - asprintf(&princ_s, "%s/%s@%s", srvPrinc, my_fqdn, lp_realm()); - /* Update the directory with the SPN */ - DEBUG(3,("ads_keytab_add_entry: Attempting to add/update '%s'\n", princ_s)); - if (!ADS_ERR_OK(ads_add_service_principal_name(ads, global_myname(), srvPrinc))) { - DEBUG(1,("ads_keytab_add_entry: ads_add_service_principal_name failed.\n")); - goto out; - } - } - - ret = get_kerberos_allowed_etypes(context,&enctypes); - if (ret) { - DEBUG(1,("ads_keytab_add_entry: get_kerberos_allowed_etypes failed (%s)\n",error_message(ret))); - goto out; - } - - /* Guess at how the KDC is salting keys for this principal. */ - kerberos_derive_salting_principal(princ_s); - + ret = smb_krb5_parse_name(context, princ_s, &princ); if (ret) { DEBUG(1,("ads_keytab_add_entry: smb_krb5_parse_name(%s) failed (%s)\n", princ_s, error_message(ret))); goto out; } - kvno = (krb5_kvno) ads_get_kvno(ads, global_myname()); - if (kvno == -1) { /* -1 indicates failure, everything else is OK */ - DEBUG(1,("ads_keytab_add_entry: ads_get_kvno failed to determine the system's kvno.\n")); - ret = -1; - goto out; - } - /* Seek and delete old keytab entries */ ret = krb5_kt_start_seq_get(context, keytab, &cursor); if (ret != KRB5_KT_END && ret != ENOENT ) { @@ -275,15 +191,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) } } - krb5_kt_close(context, keytab); - keytab = NULL; /* Done with keytab now. No double free. */ out: - - SAFE_FREE(principal); - SAFE_FREE(password_s); - SAFE_FREE(princ_s); - { krb5_keytab_entry zero_kt_entry; ZERO_STRUCT(zero_kt_entry); @@ -294,10 +203,7 @@ out: if (princ) { krb5_free_principal(context, princ); } - if (enctypes) { - free_kerberos_etypes(context, enctypes); - } - + { krb5_kt_cursor zero_csr; ZERO_STRUCT(zero_csr); @@ -305,6 +211,157 @@ out: krb5_kt_end_seq_get(context, keytab, &cursor); } } + + return (int)ret; +} + + +/********************************************************************** + Adds a single service principal, i.e. 'host' to the system keytab +***********************************************************************/ + +int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) +{ + krb5_error_code ret = 0; + krb5_context context = NULL; + krb5_keytab keytab = NULL; + krb5_data password; + krb5_kvno kvno; + krb5_enctype enctypes[4] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, 0, 0 }; + char *princ_s = NULL, *short_princ_s = NULL; + char *password_s = NULL; + char *my_fqdn; + char keytab_name[MAX_KEYTAB_NAME_LEN]; + TALLOC_CTX *ctx = NULL; + char *machine_name; + +#if defined(ENCTYPE_ARCFOUR_HMAC) + enctypes[2] = ENCTYPE_ARCFOUR_HMAC; +#endif + + initialize_krb5_error_table(); + ret = krb5_init_context(&context); + if (ret) { + DEBUG(1,("ads_keytab_add_entry: could not krb5_init_context: %s\n",error_message(ret))); + return -1; + } + +#ifdef HAVE_WRFILE_KEYTAB /* MIT */ + keytab_name[0] = 'W'; + keytab_name[1] = 'R'; + ret = krb5_kt_default_name(context, (char *) &keytab_name[2], MAX_KEYTAB_NAME_LEN - 4); +#else /* Heimdal */ + ret = krb5_kt_default_name(context, (char *) &keytab_name[0], MAX_KEYTAB_NAME_LEN - 2); +#endif + if (ret) { + DEBUG(1,("ads_keytab_add_entry: krb5_kt_default_name failed (%s)\n", error_message(ret))); + goto out; + } + DEBUG(2,("ads_keytab_add_entry: Using default system keytab: %s\n", (char *) &keytab_name)); + ret = krb5_kt_resolve(context, (char *) &keytab_name, &keytab); + if (ret) { + DEBUG(1,("ads_keytab_add_entry: krb5_kt_resolve failed (%s)\n", error_message(ret))); + goto out; + } + + /* retrieve the password */ + if (!secrets_init()) { + DEBUG(1,("ads_keytab_add_entry: secrets_init failed\n")); + ret = -1; + goto out; + } + password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); + if (!password_s) { + DEBUG(1,("ads_keytab_add_entry: failed to fetch machine password\n")); + ret = -1; + goto out; + } + password.data = password_s; + password.length = strlen(password_s); + + /* we need the dNSHostName value here */ + + if ( (ctx = talloc_init("ads_keytab_add_entry")) == NULL ) { + DEBUG(0,("ads_keytab_add_entry: talloc() failed!\n")); + ret = -1; + goto out; + } + + if ( (my_fqdn = ads_get_dnshostname( ads, ctx, global_myname())) == NULL ) { + DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's dns name in AD!\n")); + ret = -1; + goto out; + } + + if ( (machine_name = ads_get_samaccountname( ads, ctx, global_myname())) == NULL ) { + DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's short name in AD!\n")); + ret = -1; + goto out; + } + /*strip the trailing '$' */ + machine_name[strlen(machine_name)-1] = '\0'; + + /* Construct our principal */ + + if (strchr_m(srvPrinc, '@')) { + /* It's a fully-named principal. */ + asprintf(&princ_s, "%s", srvPrinc); + } else if (srvPrinc[strlen(srvPrinc)-1] == '$') { + /* It's the machine account, as used by smbclient clients. */ + asprintf(&princ_s, "%s@%s", srvPrinc, lp_realm()); + } else { + /* It's a normal service principal. Add the SPN now so that we + * can obtain credentials for it and double-check the salt value + * used to generate the service's keys. */ + + asprintf(&princ_s, "%s/%s@%s", srvPrinc, my_fqdn, lp_realm()); + asprintf(&short_princ_s, "%s/%s@%s", srvPrinc, machine_name, lp_realm()); + + /* According to http://support.microsoft.com/kb/326985/en-us, + certain principal names are automatically mapped to the host/... + principal in the AD account. So only create these in the + keytab, not in AD. --jerry */ + + if ( !strequal( srvPrinc, "cifs" ) && !strequal(srvPrinc, "host" ) ) { + DEBUG(3,("ads_keytab_add_entry: Attempting to add/update '%s'\n", princ_s)); + + if (!ADS_ERR_OK(ads_add_service_principal_name(ads, global_myname(), my_fqdn, srvPrinc))) { + DEBUG(1,("ads_keytab_add_entry: ads_add_service_principal_name failed.\n")); + goto out; + } + } + } + + kvno = (krb5_kvno) ads_get_kvno(ads, global_myname()); + if (kvno == -1) { /* -1 indicates failure, everything else is OK */ + DEBUG(1,("ads_keytab_add_entry: ads_get_kvno failed to determine the system's kvno.\n")); + ret = -1; + goto out; + } + + /* add the fqdn principal to the keytab */ + + ret = smb_krb5_kt_add_entry( context, keytab, kvno, princ_s, enctypes, password ); + if ( ret ) { + DEBUG(1,("ads_keytab_add_entry: Failed to add entry to keytab file\n")); + goto out; + } + + /* add the short principal name if we have one */ + + if ( short_princ_s ) { + ret = smb_krb5_kt_add_entry( context, keytab, kvno, short_princ_s, enctypes, password ); + if ( ret ) { + DEBUG(1,("ads_keytab_add_entry: Failed to add short entry to keytab file\n")); + goto out; + } + } + +out: + SAFE_FREE( princ_s ); + SAFE_FREE( short_princ_s ); + TALLOC_FREE( ctx ); + if (keytab) { krb5_kt_close(context, keytab); } @@ -440,94 +497,76 @@ int ads_keytab_create_default(ADS_STRUCT *ads) krb5_kt_cursor cursor; krb5_keytab_entry kt_entry; krb5_kvno kvno; - fstring my_fqdn, my_Fqdn, my_name, my_NAME, my_host_realm; - char *p_fqdn; int i, found = 0; + char *sam_account_name, *upn; char **oldEntries = NULL, *princ_s[26]; + TALLOC_CTX *ctx = NULL; + fstring machine_name; memset(princ_s, '\0', sizeof(princ_s)); - ret = ads_keytab_add_entry(ads, "host"); - if (ret) { + fstrcpy( machine_name, global_myname() ); + + /* these are the main ones we need */ + + if ( (ret = ads_keytab_add_entry(ads, "host") ) != 0 ) { DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.\n")); return ret; } - ret = ads_keytab_add_entry(ads, "cifs"); - if (ret) { + + +#if 0 /* don't create the CIFS/... keytab entries since no one except smbd + really needs them and we will fall back to verifying against secrets.tdb */ + + if ( (ret = ads_keytab_add_entry(ads, "cifs")) != 0 ) { DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'cifs'.\n")); return ret; } +#endif - fstrcpy(my_name, global_myname()); - strlower_m(my_name); - - fstrcpy(my_NAME, global_myname()); - strupper_m(my_NAME); - - my_fqdn[0] = '\0'; - name_to_fqdn(my_fqdn, global_myname()); - strlower_m(my_fqdn); - - p_fqdn = strchr_m(my_fqdn, '.'); - fstrcpy(my_Fqdn, my_NAME); - if (p_fqdn) { - fstrcat(my_Fqdn, p_fqdn); - } - - fstrcpy(my_host_realm, my_name); - fstrcat(my_host_realm, "."); - fstrcat(my_host_realm, lp_realm()); - strlower_m(my_host_realm); - - asprintf(&princ_s[0], "%s$@%s", my_name, lp_realm()); - asprintf(&princ_s[1], "%s$@%s", my_NAME, lp_realm()); - asprintf(&princ_s[2], "host/%s@%s", my_name, lp_realm()); - asprintf(&princ_s[3], "host/%s@%s", my_NAME, lp_realm()); - asprintf(&princ_s[4], "host/%s@%s", my_fqdn, lp_realm()); - asprintf(&princ_s[5], "host/%s@%s", my_Fqdn, lp_realm()); - asprintf(&princ_s[6], "HOST/%s@%s", my_name, lp_realm()); - asprintf(&princ_s[7], "HOST/%s@%s", my_NAME, lp_realm()); - asprintf(&princ_s[8], "HOST/%s@%s", my_fqdn, lp_realm()); - asprintf(&princ_s[9], "HOST/%s@%s", my_Fqdn, lp_realm()); - asprintf(&princ_s[10], "cifs/%s@%s", my_name, lp_realm()); - asprintf(&princ_s[11], "cifs/%s@%s", my_NAME, lp_realm()); - asprintf(&princ_s[12], "cifs/%s@%s", my_fqdn, lp_realm()); - asprintf(&princ_s[13], "cifs/%s@%s", my_Fqdn, lp_realm()); - asprintf(&princ_s[14], "CIFS/%s@%s", my_name, lp_realm()); - asprintf(&princ_s[15], "CIFS/%s@%s", my_NAME, lp_realm()); - asprintf(&princ_s[16], "CIFS/%s@%s", my_fqdn, lp_realm()); - asprintf(&princ_s[17], "CIFS/%s@%s", my_Fqdn, lp_realm()); - asprintf(&princ_s[18], "cifs/%s.%s@%s", my_name, lp_realm(), lp_realm()); - asprintf(&princ_s[19], "CIFS/%s.%s@%s", my_name, lp_realm(), lp_realm()); - asprintf(&princ_s[20], "host/%s.%s@%s", my_name, lp_realm(), lp_realm()); - asprintf(&princ_s[21], "HOST/%s.%s@%s", my_name, lp_realm(), lp_realm()); - - /* when dnsdomain == realm, don't add duplicate principal */ - if (!strequal(my_host_realm, my_fqdn)) { - asprintf(&princ_s[22], "cifs/%s@%s", my_host_realm, lp_realm()); - asprintf(&princ_s[23], "CIFS/%s@%s", my_host_realm, lp_realm()); - asprintf(&princ_s[24], "host/%s@%s", my_host_realm, lp_realm()); - asprintf(&princ_s[25], "HOST/%s@%s", my_host_realm, lp_realm()); - } - - for (i = 0; i < sizeof(princ_s) / sizeof(princ_s[0]); i++) { - if (princ_s[i] != NULL) { - ret = ads_keytab_add_entry(ads, princ_s[i]); - if (ret != 0) { - DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding '%s'.\n", princ_s[i])); - } - SAFE_FREE(princ_s[i]); + if ( (ctx = talloc_init("ads_keytab_create_default")) == NULL ) { + DEBUG(0,("ads_keytab_create_default: talloc() failed!\n")); + return -1; + } + + /* now add the userPrincipalName and sAMAccountName entries */ + + if ( (sam_account_name = ads_get_samaccountname( ads, ctx, machine_name)) == NULL ) { + DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's name in AD!\n")); + TALLOC_FREE( ctx ); + return -1; + } + + if ( (ret = ads_keytab_add_entry(ads, sam_account_name )) != 0 ) { + DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding sAMAccountName (%s)\n", + sam_account_name)); + return ret; + } + + /* remember that not every machine account will have a upn */ + + upn = ads_get_upn( ads, ctx, machine_name); + if ( upn ) { + if ( (ret = ads_keytab_add_entry(ads, upn)) != 0 ) { + DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding UPN (%s)\n", + upn)); + TALLOC_FREE( ctx ); + return ret; } } - kvno = (krb5_kvno) ads_get_kvno(ads, global_myname()); + TALLOC_FREE( ctx ); + + /* Now loop through the keytab and update any other existing entries... */ + + kvno = (krb5_kvno) ads_get_kvno(ads, machine_name); if (kvno == -1) { DEBUG(1,("ads_keytab_create_default: ads_get_kvno failed to determine the system's kvno.\n")); return -1; } - - DEBUG(3,("ads_keytab_create_default: Searching for keytab entries to preserve and update.\n")); - /* Now loop through the keytab and update any other existing entries... */ + + DEBUG(3,("ads_keytab_create_default: Searching for keytab entries to " + "preserve and update.\n")); ZERO_STRUCT(kt_entry); ZERO_STRUCT(cursor); |