kadmin or keytab extraction

Andrew Bartlett abartlet at samba.org
Wed Nov 23 14:15:50 MST 2011 

On Wed, 2011-11-23 at 20:34 +0100, Gémes Géza wrote:
> 2011-11-22 22:45 keltezéssel, Andrew Bartlett írta:
> > On Tue, 2011-11-22 at 21:14 +0100, Gémes Géza wrote:
> >
> >> 2. Problems from the point of view of a *nix sysadmin:
> >>     a. The KDC is quite hard to manage (no per principal keytab export
> >> utility (I've wrote one, but it doesn't take spns into account)) (Today
> >> I'll start to try implementing (at least parts of) kadmin into Samba4)
> > I've been taking a bit of a break from full time Samba development over
> > the past little while, but I'm happy to help you get the keytab
> > management code you need.
> >
> > Andrew Bartlett
> >
> Hi,
> 
> My code practically replicates the code behind samba-tool domain
> exportkeytab, with a new structure (which mimics libnet_export_keytab
> adding just a principal) and passing that principal to a slightly
> modified auth/kerberos/keytab_copy.c based kt_ext function which
> iterates over the source keytab (Samba4:HDB in this case) and if the
> principal it seas is the same as the parameter given it copies it to the
> output keytab.
> Everything works quite well (I still feel the code quite hackish) except
> that I can't compare against spns (just now I've found the typedef of
> krb5_keytab_entry and try to get use of it).
> 
> Thank you for your offer to help!

You really shouldn't try and handle it by iteration (because I do not
expose them for iteration), but you can try and call krb5_kt_get_entry
on the specific principal if you want.  

I'm not sure that going via the keytab -> hdb -> hdb_samba4 -> sambdb
layers is the best approach.  There is code in the source3/ 'net samdump
keytab' that can write out a keytab from the raw database entries.  If
that code was made common, you could search for the entry in ldb, and
then just feed it the blobs to produce the keytab. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list