summaryrefslogtreecommitdiff
path: root/source3/libads
diff options
context:
space:
mode:
Diffstat (limited to 'source3/libads')
-rw-r--r--source3/libads/kerberos_keytab.c137
1 files changed, 80 insertions, 57 deletions
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 0a350f0727..1daa1a92ad 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -278,38 +278,44 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
krb5_keytab keytab = NULL;
krb5_data password;
krb5_kvno kvno;
- krb5_enctype enctypes[4] = { ENCTYPE_DES_CBC_CRC,
- ENCTYPE_DES_CBC_MD5,
- ENCTYPE_ARCFOUR_HMAC,
- 0 };
- char *princ_s = NULL, *short_princ_s = NULL;
+ krb5_enctype enctypes[4] = {
+ ENCTYPE_DES_CBC_CRC,
+ ENCTYPE_DES_CBC_MD5,
+ ENCTYPE_ARCFOUR_HMAC,
+ 0
+ };
+ char *princ_s = NULL;
+ char *short_princ_s = NULL;
char *password_s = NULL;
char *my_fqdn;
- TALLOC_CTX *ctx = NULL;
+ TALLOC_CTX *tmpctx = NULL;
char *machine_name;
+ ADS_STATUS aderr;
initialize_krb5_error_table();
ret = krb5_init_context(&context);
if (ret) {
- DEBUG(1,("ads_keytab_add_entry: could not krb5_init_context: %s\n",error_message(ret)));
+ DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
+ error_message(ret)));
return -1;
}
ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
if (ret) {
- DEBUG(1,("ads_keytab_add_entry: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
+ DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
+ error_message(ret)));
goto out;
}
/* retrieve the password */
if (!secrets_init()) {
- DEBUG(1,("ads_keytab_add_entry: secrets_init failed\n"));
+ DEBUG(1, (__location__ ": secrets_init failed\n"));
ret = -1;
goto out;
}
password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
if (!password_s) {
- DEBUG(1,("ads_keytab_add_entry: failed to fetch machine password\n"));
+ DEBUG(1, (__location__ ": failed to fetch machine password\n"));
ret = -1;
goto out;
}
@@ -318,38 +324,44 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
password.length = strlen(password_s);
/* we need the dNSHostName value here */
-
- if ( (ctx = talloc_init("ads_keytab_add_entry")) == NULL ) {
- DEBUG(0,("ads_keytab_add_entry: talloc() failed!\n"));
+ tmpctx = talloc_init(__location__);
+ if (!tmpctx) {
+ DEBUG(0, (__location__ ": talloc_init() failed!\n"));
ret = -1;
goto out;
}
-
- if ( (my_fqdn = ads_get_dnshostname( ads, ctx, global_myname())) == NULL ) {
- DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's dns name in AD!\n"));
+
+ my_fqdn = ads_get_dnshostname(ads, tmpctx, global_myname());
+ if (!my_fqdn) {
+ DEBUG(0, (__location__ ": unable to determine machine "
+ "account's dns name in AD!\n"));
ret = -1;
- goto out;
+ goto out;
}
-
- if ( (machine_name = ads_get_samaccountname( ads, ctx, global_myname())) == NULL ) {
- DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's short name in AD!\n"));
+
+ machine_name = ads_get_samaccountname(ads, tmpctx, global_myname());
+ if (!machine_name) {
+ DEBUG(0, (__location__ ": unable to determine machine "
+ "account's short name in AD!\n"));
ret = -1;
- goto out;
+ goto out;
}
/*strip the trailing '$' */
machine_name[strlen(machine_name)-1] = '\0';
-
- /* Construct our principal */
+ /* Construct our principal */
if (strchr_m(srvPrinc, '@')) {
/* It's a fully-named principal. */
- if (asprintf(&princ_s, "%s", srvPrinc) == -1) {
+ princ_s = talloc_asprintf(tmpctx, "%s", srvPrinc);
+ if (!princ_s) {
ret = -1;
goto out;
}
} else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
/* It's the machine account, as used by smbclient clients. */
- if (asprintf(&princ_s, "%s@%s", srvPrinc, lp_realm()) == -1) {
+ princ_s = talloc_asprintf(tmpctx, "%s@%s",
+ srvPrinc, lp_realm());
+ if (!princ_s) {
ret = -1;
goto out;
}
@@ -357,61 +369,72 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
/* It's a normal service principal. Add the SPN now so that we
* can obtain credentials for it and double-check the salt value
* used to generate the service's keys. */
-
- if (asprintf(&princ_s, "%s/%s@%s", srvPrinc, my_fqdn, lp_realm()) == -1) {
+
+ princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
+ srvPrinc, my_fqdn, lp_realm());
+ if (!princ_s) {
ret = -1;
goto out;
}
- if (asprintf(&short_princ_s, "%s/%s@%s", srvPrinc, machine_name, lp_realm()) == -1) {
+ short_princ_s = talloc_asprintf(tmpctx, "%s/%s@%s",
+ srvPrinc, machine_name,
+ lp_realm());
+ if (!princ_s) {
ret = -1;
goto out;
}
-
- /* According to http://support.microsoft.com/kb/326985/en-us,
- certain principal names are automatically mapped to the host/...
- principal in the AD account. So only create these in the
- keytab, not in AD. --jerry */
-
- if ( !strequal( srvPrinc, "cifs" ) && !strequal(srvPrinc, "host" ) ) {
- DEBUG(3,("ads_keytab_add_entry: Attempting to add/update '%s'\n", princ_s));
-
- if (!ADS_ERR_OK(ads_add_service_principal_name(ads, global_myname(), my_fqdn, srvPrinc))) {
- DEBUG(1,("ads_keytab_add_entry: ads_add_service_principal_name failed.\n"));
+
+ /* According to http://support.microsoft.com/kb/326985/en-us,
+ certain principal names are automatically mapped to the
+ host/... principal in the AD account.
+ So only create these in the keytab, not in AD. --jerry */
+
+ if (!strequal(srvPrinc, "cifs") &&
+ !strequal(srvPrinc, "host")) {
+ DEBUG(3, (__location__ ": Attempting to add/update "
+ "'%s'\n", princ_s));
+
+ aderr = ads_add_service_principal_name(ads,
+ global_myname(), my_fqdn, srvPrinc);
+ if (!ADS_ERR_OK(aderr)) {
+ DEBUG(1, (__location__ ": failed to "
+ "ads_add_service_principal_name.\n"));
goto out;
}
}
}
- kvno = (krb5_kvno) ads_get_machine_kvno(ads, global_myname());
- if (kvno == -1) { /* -1 indicates failure, everything else is OK */
- DEBUG(1,("ads_keytab_add_entry: ads_get_machine_kvno failed to determine the system's kvno.\n"));
+ kvno = (krb5_kvno)ads_get_machine_kvno(ads, global_myname());
+ if (kvno == -1) {
+ /* -1 indicates failure, everything else is OK */
+ DEBUG(1, (__location__ ": ads_get_machine_kvno failed to "
+ "determine the system's kvno.\n"));
ret = -1;
goto out;
}
-
+
/* add the fqdn principal to the keytab */
-
- ret = smb_krb5_kt_add_entry( context, keytab, kvno, princ_s, enctypes, password );
- if ( ret ) {
- DEBUG(1,("ads_keytab_add_entry: Failed to add entry to keytab file\n"));
+ ret = smb_krb5_kt_add_entry(context, keytab, kvno,
+ princ_s, enctypes, password);
+ if (ret) {
+ DEBUG(1, (__location__ ": Failed to add entry to keytab\n"));
goto out;
}
-
+
/* add the short principal name if we have one */
-
- if ( short_princ_s ) {
- ret = smb_krb5_kt_add_entry( context, keytab, kvno, short_princ_s, enctypes, password );
- if ( ret ) {
- DEBUG(1,("ads_keytab_add_entry: Failed to add short entry to keytab file\n"));
+ if (short_princ_s) {
+ ret = smb_krb5_kt_add_entry(context, keytab, kvno,
+ short_princ_s, enctypes, password);
+ if (ret) {
+ DEBUG(1, (__location__
+ ": Failed to add short entry to keytab\n"));
goto out;
}
}
out:
- SAFE_FREE( princ_s );
- SAFE_FREE( short_princ_s );
- TALLOC_FREE( ctx );
-
+ TALLOC_FREE(tmpctx);
+
if (keytab) {
krb5_kt_close(context, keytab);
}