[PATCH] Fix regression in samba-tool domain exportkeytab

Ralph Boehme slow at samba.org
Sun Apr 17 17:26:05 UTC 2016


Hi!

Stumbled across that samba-tool domain exportkeytab --principal
doesn't work anymore in master. Turns out that exporting all keys is
broken as well, only one enctype per principal is preserved in the
keytab.

The regression was introduced in 5c5d586d3ebd402. Attached patch fixes
the issue for me.

Pleaes review carefully and push if ok. I've never been into this area
of code before, so I'm holding my breath, at least it works in my
limited testing. :)

Cheerio!
-slow
-------------- next part --------------
From 6179a1584a227da5193834c970fb1ffc7f888d92 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Sun, 17 Apr 2016 16:28:00 +0200
Subject: [PATCH] s4-libnet: fix exporting keytab

5c5d586d3ebd402061a9143dc55543115bcd2476 introduced two regressions:

o calling smb_krb5_kt_add_entry with keep_old_entries=false resulted in
  only one enctype per principal being exported

o exporting a specific principal with --principal=<SPN> didn't work
  anymore

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 source4/libnet/libnet_export_keytab.c | 42 ++++++++++++++++++++---------------
 1 file changed, 24 insertions(+), 18 deletions(-)

diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c
index ee2c470..8018faf 100644
--- a/source4/libnet/libnet_export_keytab.c
+++ b/source4/libnet/libnet_export_keytab.c
@@ -41,7 +41,6 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
 	krb5_error_code code = 0;
 	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
 	char *entry_principal = NULL;
-	bool copy_one_principal = (principal != NULL);
 	krb5_data password;
 
 	code = smb_krb5_open_keytab_relative(context,
@@ -56,10 +55,27 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
 		goto done;
 	}
 
-	for (code = samba_kdc_firstkey(context, db_ctx, &sentry);
-	     code == 0;
-	     code = samba_kdc_nextkey(context, db_ctx, &sentry)) {
-		bool principal_found = false;
+	if (principal != NULL) {
+		krb5_principal k5_princ;
+
+		code = smb_krb5_parse_name(context, principal, &k5_princ);
+		if (code != 0) {
+			*error_string = smb_get_krb5_error_message(context,
+								   code,
+								   mem_ctx);
+			status = NT_STATUS_UNSUCCESSFUL;
+			goto done;
+		}
+
+		code = samba_kdc_fetch(context, db_ctx, k5_princ,
+				       SDB_F_GET_ANY, 0, &sentry);
+
+		krb5_free_principal(context, k5_princ);
+	} else {
+		code = samba_kdc_firstkey(context, db_ctx, &sentry);
+	}
+
+	for (; code == 0; code = samba_kdc_nextkey(context, db_ctx, &sentry)) {
 		int i;
 
 		code = krb5_unparse_name(context,
@@ -73,17 +89,7 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
 			goto done;
 		}
 
-		if (principal != NULL) {
-			int cmp;
-
-			cmp = strcmp(principal, entry_principal);
-			if (cmp == 0) {
-				principal_found = true;
-			}
-		}
-
-		if (sentry.entry.keys.len == 0 ||
-		    (copy_one_principal && !principal_found)) {
+		if (sentry.entry.keys.len == 0) {
 			SAFE_FREE(entry_principal);
 			sdb_free_entry(&sentry);
 			sentry = (struct sdb_entry_ex) {
@@ -111,7 +117,7 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
 						     enctype,
 						     &password,
 						     true,    /* no_salt */
-						     false);  /* keeyp_old_entries */
+						     true);  /* keep_old_entries */
 			if (code != 0) {
 				status = NT_STATUS_UNSUCCESSFUL;
 				*error_string = smb_get_krb5_error_message(context,
@@ -123,7 +129,7 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
 			}
 		}
 
-		if (principal_found) {
+		if (principal != NULL) {
 			break;
 		}
 
-- 
2.5.0



More information about the samba-technical mailing list