kadmin or keytab extraction

Andrew Bartlett abartlet at samba.org
Wed Nov 23 18:16:55 MST 2011 

On Thu, 2011-11-24 at 09:23 +1100, Andrew Bartlett wrote:
> On Wed, 2011-11-23 at 22:32 +0100, Gémes Géza wrote:
> > 2011-11-23 22:15 keltezéssel, Andrew Bartlett írta:
> > > On Wed, 2011-11-23 at 20:34 +0100, Gémes Géza wrote:
> > >> 2011-11-22 22:45 keltezéssel, Andrew Bartlett írta:
> > >>> On Tue, 2011-11-22 at 21:14 +0100, Gémes Géza wrote:
> > >>>
> > >>>> 2. Problems from the point of view of a *nix sysadmin:
> > >>>>     a. The KDC is quite hard to manage (no per principal keytab export
> > >>>> utility (I've wrote one, but it doesn't take spns into account)) (Today
> > >>>> I'll start to try implementing (at least parts of) kadmin into Samba4)
> > >>> I've been taking a bit of a break from full time Samba development over
> > >>> the past little while, but I'm happy to help you get the keytab
> > >>> management code you need.
> > >>>
> > >>> Andrew Bartlett
> > >>>
> > >> Hi,
> > >>
> > >> My code practically replicates the code behind samba-tool domain
> > >> exportkeytab, with a new structure (which mimics libnet_export_keytab
> > >> adding just a principal) and passing that principal to a slightly
> > >> modified auth/kerberos/keytab_copy.c based kt_ext function which
> > >> iterates over the source keytab (Samba4:HDB in this case) and if the
> > >> principal it seas is the same as the parameter given it copies it to the
> > >> output keytab.
> > >> Everything works quite well (I still feel the code quite hackish) except
> > >> that I can't compare against spns (just now I've found the typedef of
> > >> krb5_keytab_entry and try to get use of it).
> > >>
> > >> Thank you for your offer to help!
> > > You really shouldn't try and handle it by iteration (because I do not
> > > expose them for iteration), but you can try and call krb5_kt_get_entry
> > > on the specific principal if you want.  
> > >
> > > I'm not sure that going via the keytab -> hdb -> hdb_samba4 -> sambdb
> > > layers is the best approach.  There is code in the source3/ 'net samdump
> > > keytab' that can write out a keytab from the raw database entries.  If
> > > that code was made common, you could search for the entry in ldb, and
> > > then just feed it the blobs to produce the keytab. 
> > >
> > > Andrew Bartlett
> > >
> > Calling krb5_kt_get_entry directly would be lot more efficient, I just
> > couldn't figure out how to get all the vno and keyblock.keytype
> > attributes of a given principal without iterating over the keytab.
> 
> The kvno is the msDs-keyversionnumber, and you can just iterate over the
> known-to-be-stored key types (we only handle a few, see the
> password_hash module). 

In particular, you need:

KRB5_ENCTYPE_DES_CBC_CRC
KRB5_ENCTYPE_DES_CBC_MD5,
KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96,
KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list