[PATCH] Fix regression in samba-tool domain exportkeytab

Andrew Bartlett abartlet at samba.org
Sat Apr 30 05:46:47 UTC 2016 

On Sun, 2016-04-24 at 09:33 +0200, Ralph Boehme wrote:
> On Sun, Apr 24, 2016 at 08:21:00AM +0200, Ralph Boehme wrote:
> > On Mon, Apr 18, 2016 at 11:45:10AM +0200, Ralph Boehme wrote:
> > > On Sun, Apr 17, 2016 at 07:26:05PM +0200, Ralph Boehme wrote:
> > > > Hi!
> > > > 
> > > > Stumbled across that samba-tool domain exportkeytab --principal
> > > > doesn't work anymore in master. Turns out that exporting all
> > > > keys is
> > > > broken as well, only one enctype per principal is preserved in
> > > > the
> > > > keytab.
> > > 
> > > after a private conversation with Andreas, we agreed that, while
> > > we're
> > > at it, we should look at smb_krb5_kt_add_entry() and why it
> > > deletes
> > > entries in this case where it's probably supposed to preserver
> > > them.
> > > 
> > > Also, I'm going to fix the incomplete test for the expportkeytab
> > > --principal=<SPN> test in
> > > testprogs/blackbox/test_export_keytab_mit.sh.
> > 
> > so here's an updated patchset that adds full testing of the
> > exported
> > keytabs and more.
> > 
> > When working on this I noticed that our KDC doesn't allow AS-REQ
> > with
> > an SPN. Windows KDCs do allow this, so I bent it to my will. Please
> > review carefully, the change is too simple, it must be wrong. :)
> > 
> > Summary of changes:
> > 
> > o add a minimalistic ktutil usable in selftest
> > 
> > o check that the keytabs contains all expected enctypes, not just
> > one
> > 
> > o check that exporting SPNs works
> > 
> > o allow AS-REQ with SPN
> > 
> > o check that a kinit with SPN works
> 
> noticed some whitescape warnings when applying the patch and several
> errors in commit messages.
> 
> Updated patchset attached. The code is unmodified.

I'm surprised by the kinit with SPN bit, but I can't find an existing
tests that contradicts what you found.  It would be good to have the
krb5.kdc or krb5.kdc-canon test cover this, so we know the finer
details of how this is expected to work with all the different flags.

I found some quite strange things around UPN and enterprise principal
name behaviour when I did that work, I'm surprised I dind't check this
case - it seems obvious in retrospect.   (From memory out 'task' was to
make enterprise principals names work).

I really appreciate your approach to testing this.  The same could work
well for testing 'net rpc vampire keytab', which would be nice to
validate also.

For the first 6 patches:

Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list