Catching more principals in ads_keytab_verify_ticket()

Sun Mar 13 02:34:17 GMT 2005

Doug VanLeuven wrote:

> Jeremy Allison wrote:
>
>> On Fri, Mar 11, 2005 at 01:44:41AM -0800, Doug VanLeuven wrote:
>>  
>>
>>>>> Even without the global option, updating the static list to 
>>>>> include cifs/<host>.<realm>@<REALM> might help fix bug 2414.  I've 
>>>>> got a patch for just that part right now.
>>>>>       
>>>>
>>>> This patch adds these variations to samba managed keytabs:
>>>> <global_myname())>.<REALM>@REALM that Michael Brown noticed
>>>> and
>>>> <global_myname())>.<realm>@REALM that I'm seeing from Enterprise 
>>>> 2003 Native mode for out-of-realm dns domains.
>>>>     
>>>
> My Enterprise 2003 AD KDC started upcasing the first letter of the 
> host name.
> Adding this variation to libads/kerberos_keytab.c would add 13 
> additional entries for a total of 39.
> I wouldn't be suprised if I started seeing Host and Cifs.  That would 
> double the table size to 78 entries.
> That seems unreasonable.
>
> This patch adds a global LIST variable to smb.conf allowing an 
> administrator to specify additional keytab principals in lieu of 
> patching the source and recompiling.  Suppresses duplicate static 
> entries.
>
> keytab principals = HOST/Lex at NT.LDXNET.COM \
>                     cifs/Lex.nt.ldxnet.com at NT.LDXNET.COM \
>                     Lex$@NT.LDXNET.COM HOST/LEX at NT.LDXNET.COM

I seem to have a problem remembering to attachments.

Regards, Doug

-------------- next part --------------
Index: param/loadparm.c
===================================================================

--- param/loadparm.c	(revision 5777)
+++ param/loadparm.c	(working copy)
@@ -291,6 +291,7 @@
 	BOOL bDisableNetbios;
 	BOOL bKernelChangeNotify;
 	BOOL bUseKerberosKeytab;
+	char **szKerberosKeytabNames;
 	BOOL bDeferSharingViolations;
 	BOOL bEnablePrivileges;
 	int restrict_anonymous;
@@ -877,6 +878,7 @@
 	{"deny hosts", P_LIST, P_LOCAL, &sDefault.szHostsdeny, NULL, NULL, FLAG_HIDE}, 
 	{"preload modules", P_LIST, P_GLOBAL, &Globals.szPreloadModules, NULL, NULL, FLAG_ADVANCED | FLAG_GLOBAL}, 
 	{"use kerberos keytab", P_BOOL, P_GLOBAL, &Globals.bUseKerberosKeytab, NULL, NULL, FLAG_ADVANCED}, 
+	{"keytab principals", P_LIST, P_GLOBAL, &Globals.szKerberosKeytabNames, NULL, NULL, FLAG_ADVANCED}, 
 
 	{N_("Logging Options"), P_SEP, P_SEPARATOR}, 
 
@@ -1790,6 +1792,7 @@
 FN_GLOBAL_BOOL(lp_hostname_lookups, &Globals.bHostnameLookups)
 FN_GLOBAL_BOOL(lp_kernel_change_notify, &Globals.bKernelChangeNotify)
 FN_GLOBAL_BOOL(lp_use_kerberos_keytab, &Globals.bUseKerberosKeytab)
+FN_GLOBAL_LIST(lp_keytab_principals, &Globals.szKerberosKeytabNames)
 FN_GLOBAL_BOOL(lp_defer_sharing_violations, &Globals.bDeferSharingViolations)
 FN_GLOBAL_BOOL(lp_enable_privileges, &Globals.bEnablePrivileges)
 FN_GLOBAL_INTEGER(lp_os_level, &Globals.os_level)
Index: libads/kerberos_keytab.c
===================================================================
--- libads/kerberos_keytab.c	(revision 5777)
+++ libads/kerberos_keytab.c	(working copy)
@@ -509,6 +509,24 @@
 		asprintf(&princ_s[24], "host/%s@%s", my_host_realm, lp_realm());
 		asprintf(&princ_s[25], "HOST/%s@%s", my_host_realm, lp_realm());
 	}
+	if (lp_keytab_principals()) {
+		int j;
+		const char **keytab_principals = lp_keytab_principals();
+		for (i=0; keytab_principals[i]; i++) {
+			/* avoid duplicating manually entered names */
+			for (j=0; j < sizeof(princ_s) / sizeof(princ_s[0]); j++) {
+				if (princ_s[j] != NULL) {
+					if (strcsequal(keytab_principals[i], princ_s[j])) {
+						SAFE_FREE(princ_s[j]);
+					}
+				}
+			}
+			ret = ads_keytab_add_entry(ads, keytab_principals[i]);
+			if (ret != 0) {
+				DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding '%s'.\n", princ_s[i]));
+			}
+		}
+	}
 
 	for (i = 0; i < sizeof(princ_s) / sizeof(princ_s[0]); i++) {
 		if (princ_s[i] != NULL) {
