kadmin or keytab extraction

Gémes Géza geza at kzsdabas.hu
Wed Nov 23 14:32:10 MST 2011 

2011-11-23 22:15 keltezéssel, Andrew Bartlett írta:
> On Wed, 2011-11-23 at 20:34 +0100, Gémes Géza wrote:
>> 2011-11-22 22:45 keltezéssel, Andrew Bartlett írta:
>>> On Tue, 2011-11-22 at 21:14 +0100, Gémes Géza wrote:
>>>
>>>> 2. Problems from the point of view of a *nix sysadmin:
>>>>     a. The KDC is quite hard to manage (no per principal keytab export
>>>> utility (I've wrote one, but it doesn't take spns into account)) (Today
>>>> I'll start to try implementing (at least parts of) kadmin into Samba4)
>>> I've been taking a bit of a break from full time Samba development over
>>> the past little while, but I'm happy to help you get the keytab
>>> management code you need.
>>>
>>> Andrew Bartlett
>>>
>> Hi,
>>
>> My code practically replicates the code behind samba-tool domain
>> exportkeytab, with a new structure (which mimics libnet_export_keytab
>> adding just a principal) and passing that principal to a slightly
>> modified auth/kerberos/keytab_copy.c based kt_ext function which
>> iterates over the source keytab (Samba4:HDB in this case) and if the
>> principal it seas is the same as the parameter given it copies it to the
>> output keytab.
>> Everything works quite well (I still feel the code quite hackish) except
>> that I can't compare against spns (just now I've found the typedef of
>> krb5_keytab_entry and try to get use of it).
>>
>> Thank you for your offer to help!
> You really shouldn't try and handle it by iteration (because I do not
> expose them for iteration), but you can try and call krb5_kt_get_entry
> on the specific principal if you want.  
>
> I'm not sure that going via the keytab -> hdb -> hdb_samba4 -> sambdb
> layers is the best approach.  There is code in the source3/ 'net samdump
> keytab' that can write out a keytab from the raw database entries.  If
> that code was made common, you could search for the entry in ldb, and
> then just feed it the blobs to produce the keytab. 
>
> Andrew Bartlett
>
Calling krb5_kt_get_entry directly would be lot more efficient, I just
couldn't figure out how to get all the vno and keyblock.keytype
attributes of a given principal without iterating over the keytab.
Please tell me if there is any other way.
I'll have a look at the source3 net samdump code in the meantime.

Cheers

Geza

More information about the samba-technical mailing list