kadmin or keytab extraction

Andrew Bartlett abartlet at samba.org
Wed Nov 23 15:23:37 MST 2011


On Wed, 2011-11-23 at 22:32 +0100, Gémes Géza wrote:
> 2011-11-23 22:15 keltezéssel, Andrew Bartlett írta:
> > On Wed, 2011-11-23 at 20:34 +0100, Gémes Géza wrote:
> >> 2011-11-22 22:45 keltezéssel, Andrew Bartlett írta:
> >>> On Tue, 2011-11-22 at 21:14 +0100, Gémes Géza wrote:
> >>>
> >>>> 2. Problems from the point of view of a *nix sysadmin:
> >>>>     a. The KDC is quite hard to manage (no per principal keytab export
> >>>> utility (I've wrote one, but it doesn't take spns into account)) (Today
> >>>> I'll start to try implementing (at least parts of) kadmin into Samba4)
> >>> I've been taking a bit of a break from full time Samba development over
> >>> the past little while, but I'm happy to help you get the keytab
> >>> management code you need.
> >>>
> >>> Andrew Bartlett
> >>>
> >> Hi,
> >>
> >> My code practically replicates the code behind samba-tool domain
> >> exportkeytab, with a new structure (which mimics libnet_export_keytab
> >> adding just a principal) and passing that principal to a slightly
> >> modified auth/kerberos/keytab_copy.c based kt_ext function which
> >> iterates over the source keytab (Samba4:HDB in this case) and if the
> >> principal it seas is the same as the parameter given it copies it to the
> >> output keytab.
> >> Everything works quite well (I still feel the code quite hackish) except
> >> that I can't compare against spns (just now I've found the typedef of
> >> krb5_keytab_entry and try to get use of it).
> >>
> >> Thank you for your offer to help!
> > You really shouldn't try and handle it by iteration (because I do not
> > expose them for iteration), but you can try and call krb5_kt_get_entry
> > on the specific principal if you want.  
> >
> > I'm not sure that going via the keytab -> hdb -> hdb_samba4 -> sambdb
> > layers is the best approach.  There is code in the source3/ 'net samdump
> > keytab' that can write out a keytab from the raw database entries.  If
> > that code was made common, you could search for the entry in ldb, and
> > then just feed it the blobs to produce the keytab. 
> >
> > Andrew Bartlett
> >
> Calling krb5_kt_get_entry directly would be lot more efficient, I just
> couldn't figure out how to get all the vno and keyblock.keytype
> attributes of a given principal without iterating over the keytab.

The kvno is the msDs-keyversionnumber, and you can just iterate over the
known-to-be-stored key types (we only handle a few, see the
password_hash module). 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org



More information about the samba-technical mailing list