[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Nov 29 01:21:02 MST 2011
The branch, master has been updated
via 2bff209 s4-samba-tool: Add --principal argument to samba-tool domain exportkeytab
from 8eef716 s4-provision: Fix the security ace for DnsAdmins group on DNS records
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2bff209128b85bd870ad36fa00ffcc92edbbab08
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 29 12:47:40 2011 +1100
s4-samba-tool: Add --principal argument to samba-tool domain exportkeytab
This allows only a particular principal to be exported to the keytab.
This is useful when setting up unix servers in a Samba controlled
domain.
Based on a request by Gémes Géza <geza at kzsdabas.hu>
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Tue Nov 29 09:20:55 CET 2011 on sn-devel-104
-----------------------------------------------------------------------
Summary of changes:
source4/auth/kerberos/keytab_copy.c | 195 ++++++++++++++++-------
source4/libnet/libnet_export_keytab.c | 22 +++-
source4/libnet/libnet_export_keytab.h | 1 +
source4/libnet/py_net.c | 8 +-
source4/scripting/python/samba/netcmd/domain.py | 7 +-
testprogs/blackbox/test_export_keytab.sh | 12 ++-
6 files changed, 174 insertions(+), 71 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/kerberos/keytab_copy.c b/source4/auth/kerberos/keytab_copy.c
index ba4ea2b..d823e02 100644
--- a/source4/auth/kerberos/keytab_copy.c
+++ b/source4/auth/kerberos/keytab_copy.c
@@ -1,6 +1,8 @@
/*
* Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
+ * Copyright (c) 2011 Andrew Bartlett
+ *
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -35,8 +37,6 @@
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
-static const krb5_boolean verbose_flag = FALSE;
-
static krb5_boolean
compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b)
{
@@ -47,90 +47,99 @@ compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b)
return TRUE;
}
+static krb5_error_code copy_one_entry(krb5_context context,
+ krb5_keytab src_keytab, krb5_keytab dst_keytab, krb5_keytab_entry entry)
+{
+ krb5_error_code ret;
+ krb5_keytab_entry dummy;
+
+ char *name_str;
+ char *etype_str;
+ ret = krb5_unparse_name (context, entry.principal, &name_str);
+ if(ret) {
+ krb5_set_error_message(context, ret, "krb5_unparse_name");
+ name_str = NULL; /* XXX */
+ return ret;
+ }
+ ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str);
+ if(ret) {
+ krb5_set_error_message(context, ret, "krb5_enctype_to_string");
+ etype_str = NULL; /* XXX */
+ return ret;
+ }
+ ret = krb5_kt_get_entry(context, dst_keytab,
+ entry.principal,
+ entry.vno,
+ entry.keyblock.keytype,
+ &dummy);
+ if(ret == 0) {
+ /* this entry is already in the new keytab, so no need to
+ copy it; if the keyblocks are not the same, something
+ is weird, so complain about that */
+ if(!compare_keyblock(&entry.keyblock, &dummy.keyblock)) {
+ krb5_warn(context, 0, "entry with different keyvalue "
+ "already exists for %s, keytype %s, kvno %d",
+ name_str, etype_str, entry.vno);
+ }
+ krb5_kt_free_entry(context, &dummy);
+ krb5_kt_free_entry (context, &entry);
+ free(name_str);
+ free(etype_str);
+ return ret;
+ } else if(ret != KRB5_KT_NOTFOUND) {
+ krb5_set_error_message (context, ret, "fetching %s/%s/%u",
+ name_str, etype_str, entry.vno);
+ krb5_kt_free_entry (context, &entry);
+ free(name_str);
+ free(etype_str);
+ return ret;
+ }
+ ret = krb5_kt_add_entry (context, dst_keytab, &entry);
+ krb5_kt_free_entry (context, &entry);
+ if (ret) {
+ krb5_set_error_message (context, ret, "adding %s/%s/%u",
+ name_str, etype_str, entry.vno);
+ free(name_str);
+ free(etype_str);
+ return ret;
+ }
+ free(name_str);
+ free(etype_str);
+ return ret;
+}
+
krb5_error_code kt_copy (krb5_context context, const char *from, const char *to)
{
krb5_error_code ret;
krb5_keytab src_keytab, dst_keytab;
krb5_kt_cursor cursor;
- krb5_keytab_entry entry, dummy;
+ krb5_keytab_entry entry;
ret = krb5_kt_resolve (context, from, &src_keytab);
if (ret) {
- krb5_warn (context, ret, "resolving src keytab `%s'", from);
- return 1;
+ krb5_set_error_message (context, ret, "resolving src keytab `%s'", from);
+ return ret;
}
ret = krb5_kt_resolve (context, to, &dst_keytab);
if (ret) {
krb5_kt_close (context, src_keytab);
- krb5_warn (context, ret, "resolving dst keytab `%s'", to);
- return 1;
+ krb5_set_error_message (context, ret, "resolving dst keytab `%s'", to);
+ return ret;
}
ret = krb5_kt_start_seq_get (context, src_keytab, &cursor);
if (ret) {
- krb5_warn (context, ret, "krb5_kt_start_seq_get %s", from);
+ krb5_set_error_message (context, ret, "krb5_kt_start_seq_get %s", from);
goto out;
}
- if (verbose_flag)
- fprintf(stderr, "copying %s to %s\n", from, to);
-
while((ret = krb5_kt_next_entry(context, src_keytab,
&entry, &cursor)) == 0) {
- char *name_str;
- char *etype_str;
- ret = krb5_unparse_name (context, entry.principal, &name_str);
- if(ret) {
- krb5_warn(context, ret, "krb5_unparse_name");
- name_str = NULL; /* XXX */
- }
- ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str);
- if(ret) {
- krb5_warn(context, ret, "krb5_enctype_to_string");
- etype_str = NULL; /* XXX */
- }
- ret = krb5_kt_get_entry(context, dst_keytab,
- entry.principal,
- entry.vno,
- entry.keyblock.keytype,
- &dummy);
- if(ret == 0) {
- /* this entry is already in the new keytab, so no need to
- copy it; if the keyblocks are not the same, something
- is weird, so complain about that */
- if(!compare_keyblock(&entry.keyblock, &dummy.keyblock)) {
- krb5_warnx(context, "entry with different keyvalue "
- "already exists for %s, keytype %s, kvno %d",
- name_str, etype_str, entry.vno);
- }
- krb5_kt_free_entry(context, &dummy);
- krb5_kt_free_entry (context, &entry);
- free(name_str);
- free(etype_str);
- continue;
- } else if(ret != KRB5_KT_NOTFOUND) {
- krb5_warn (context, ret, "%s: fetching %s/%s/%u",
- to, name_str, etype_str, entry.vno);
- krb5_kt_free_entry (context, &entry);
- free(name_str);
- free(etype_str);
- break;
- }
- if (verbose_flag)
- fprintf (stderr, "copying %s, keytype %s, kvno %d\n", name_str,
- etype_str, entry.vno);
- ret = krb5_kt_add_entry (context, dst_keytab, &entry);
- krb5_kt_free_entry (context, &entry);
+ ret = copy_one_entry(context, src_keytab, dst_keytab, entry);
if (ret) {
- krb5_warn (context, ret, "%s: adding %s/%s/%u",
- to, name_str, etype_str, entry.vno);
- free(name_str);
- free(etype_str);
break;
}
- free(name_str);
- free(etype_str);
}
krb5_kt_end_seq_get (context, src_keytab, &cursor);
@@ -144,3 +153,67 @@ krb5_error_code kt_copy (krb5_context context, const char *from, const char *to)
}
return ret;
}
+
+krb5_error_code kt_copy_one_principal (krb5_context context, const char *from, const char *to,
+ const char *principal, krb5_kvno kvno, krb5_enctype *enctypes)
+{
+ krb5_error_code ret;
+ krb5_keytab src_keytab, dst_keytab;
+ krb5_keytab_entry entry;
+ krb5_principal princ;
+ int i;
+ bool found_one = false;
+
+ ret = krb5_parse_name (context, principal, &princ);
+ if(ret) {
+ krb5_set_error_message(context, ret, "krb5_unparse_name");
+ return ret;
+ }
+
+ ret = krb5_kt_resolve (context, from, &src_keytab);
+ if (ret) {
+ krb5_set_error_message(context, ret, "resolving src keytab `%s'", from);
+ return ret;
+ }
+
+ ret = krb5_kt_resolve (context, to, &dst_keytab);
+ if (ret) {
+ krb5_kt_close (context, src_keytab);
+ krb5_set_error_message(context, ret, "resolving dst keytab `%s'", to);
+ return ret;
+ }
+
+ for (i=0; enctypes[i]; i++) {
+ ret = krb5_kt_get_entry(context, src_keytab,
+ princ,
+ kvno,
+ enctypes[i],
+ &entry);
+ if (ret == KRB5_KT_NOTFOUND) {
+ continue;
+ } else if (ret) {
+ break;
+ }
+ found_one = true;
+ ret = copy_one_entry(context, src_keytab, dst_keytab, entry);
+ if (ret) {
+ break;
+ }
+ }
+ if (ret == KRB5_KT_NOTFOUND) {
+ if (!found_one) {
+ char *princ_string;
+ int ret2 = krb5_unparse_name (context, princ, &princ_string);
+ if (ret2) {
+ krb5_set_error_message(context, ret, "failed to fetch principal %s", princ_string);
+ }
+ } else {
+ /* Not finding an enc type is not an error, as long as we copied one for the principal */
+ ret = 0;
+ }
+ }
+
+ krb5_kt_close (context, src_keytab);
+ krb5_kt_close (context, dst_keytab);
+ return ret;
+}
diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c
index e8a0a13..2dae370 100644
--- a/source4/libnet/libnet_export_keytab.c
+++ b/source4/libnet/libnet_export_keytab.c
@@ -45,13 +45,29 @@ NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, s
return NT_STATUS_NO_MEMORY;
}
- unlink(r->in.keytab_name);
+ if (r->in.principal) {
+ /* TODO: Find a way not to have to use a fixed list */
+ krb5_enctype enctypes[] = {
+ KRB5_ENCTYPE_DES_CBC_CRC,
+ KRB5_ENCTYPE_DES_CBC_MD5,
+ KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
+ };
+ ret = kt_copy_one_principal(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name, r->in.principal, 0, enctypes);
+ } else {
+ unlink(r->in.keytab_name);
+ ret = kt_copy(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name);
+ }
- ret = kt_copy(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name);
if(ret) {
r->out.error_string = smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx);
- return NT_STATUS_UNSUCCESSFUL;
+ if (ret == KRB5_KT_NOTFOUND) {
+ return NT_STATUS_NO_SUCH_USER;
+ } else {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
}
return NT_STATUS_OK;
}
diff --git a/source4/libnet/libnet_export_keytab.h b/source4/libnet/libnet_export_keytab.h
index 194f890..289d19c 100644
--- a/source4/libnet/libnet_export_keytab.h
+++ b/source4/libnet/libnet_export_keytab.h
@@ -20,6 +20,7 @@
struct libnet_export_keytab {
struct {
const char *keytab_name;
+ const char *principal;
} in;
struct {
const char *error_string;
diff --git a/source4/libnet/py_net.c b/source4/libnet/py_net.c
index 7c90572..cf37ccc 100644
--- a/source4/libnet/py_net.c
+++ b/source4/libnet/py_net.c
@@ -188,11 +188,13 @@ static PyObject *py_net_export_keytab(py_net_Object *self, PyObject *args, PyObj
{
struct libnet_export_keytab r;
TALLOC_CTX *mem_ctx;
- const char *kwnames[] = { "keytab", NULL };
+ const char *kwnames[] = { "keytab", "principal", NULL };
NTSTATUS status;
+ r.in.principal = NULL;
- if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s:export_keytab", discard_const_p(char *, kwnames),
- &r.in.keytab_name)) {
+ if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s|z:export_keytab", discard_const_p(char *, kwnames),
+ &r.in.keytab_name,
+ &r.in.principal)) {
return NULL;
}
diff --git a/source4/scripting/python/samba/netcmd/domain.py b/source4/scripting/python/samba/netcmd/domain.py
index a41a9d6..88d0d70 100644
--- a/source4/scripting/python/samba/netcmd/domain.py
+++ b/source4/scripting/python/samba/netcmd/domain.py
@@ -66,14 +66,15 @@ class cmd_domain_export_keytab(Command):
synopsis = "%prog <keytab> [options]"
takes_options = [
+ Option("--principal", help="extract only this principal", type=str),
]
takes_args = ["keytab"]
- def run(self, keytab, credopts=None, sambaopts=None, versionopts=None):
+ def run(self, keytab, credopts=None, sambaopts=None, versionopts=None, principal=None):
lp = sambaopts.get_loadparm()
- net = Net(None, lp, server=credopts.ipaddress)
- net.export_keytab(keytab=keytab)
+ net = Net(None, lp)
+ net.export_keytab(keytab=keytab, principal=principal)
class cmd_domain_info(Command):
"""Print basic info about a domain and the DC passed as parameter"""
diff --git a/testprogs/blackbox/test_export_keytab.sh b/testprogs/blackbox/test_export_keytab.sh
index 7c63704..a2debfe 100755
--- a/testprogs/blackbox/test_export_keytab.sh
+++ b/testprogs/blackbox/test_export_keytab.sh
@@ -49,6 +49,12 @@ testit "create user locally" $VALGRIND $newuser nettestuser $USERPASS $@ || fail
testit "dump keytab from domain" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
testit "dump keytab from domain (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
+testit "dump keytab from domain for cifs principal" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER $@ || failed=`expr $failed + 1`
+testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER $@ || failed=`expr $failed + 1`
+
+testit "dump keytab from domain for user principal" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=`expr $failed + 1`
+testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=`expr $failed + 1`
+
KRB5CCNAME="$PREFIX/tmpuserccache"
export KRB5CCNAME
@@ -56,6 +62,10 @@ testit "kinit with keytab as user" $VALGRIND $samba4kinit --keytab=$PREFIX/tmpke
test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
+testit "kinit with keytab as user (2)" $VALGRIND $samba4kinit --keytab=$PREFIX/tmpkeytab-2 --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
+
+test_smbclient "Test login with user kerberos ccache as user (2)" 'ls' -k yes || failed=`expr $failed + 1`
+
KRB5CCNAME="$PREFIX/tmpadminccache"
export KRB5CCNAME
@@ -63,5 +73,5 @@ testit "kinit with keytab as $USERNAME" $VALGRIND $samba4kinit --keytab=$PREFIX/
testit "del user" $VALGRIND $samba_tool user delete nettestuser -k yes $@ || failed=`expr $failed + 1`
-rm -f $PREFIX/tmpadminccache $PREFIX/tmpuserccache $PREFIX/tmpkeytab
+rm -f $PREFIX/tmpadminccache $PREFIX/tmpuserccache $PREFIX/tmpkeytab $PREFIX/tmpkeytab-2 $PREFIX/tmpkeytab-server
exit $failed
--
Samba Shared Repository
More information about the samba-cvs
mailing list