[PATCH] Fix regression in samba-tool domain exportkeytab
Ralph Boehme
slow at samba.org
Sun Apr 24 07:33:31 UTC 2016
On Sun, Apr 24, 2016 at 08:21:00AM +0200, Ralph Boehme wrote:
> On Mon, Apr 18, 2016 at 11:45:10AM +0200, Ralph Boehme wrote:
> > On Sun, Apr 17, 2016 at 07:26:05PM +0200, Ralph Boehme wrote:
> > > Hi!
> > >
> > > Stumbled across that samba-tool domain exportkeytab --principal
> > > doesn't work anymore in master. Turns out that exporting all keys is
> > > broken as well, only one enctype per principal is preserved in the
> > > keytab.
> >
> > after a private conversation with Andreas, we agreed that, while we're
> > at it, we should look at smb_krb5_kt_add_entry() and why it deletes
> > entries in this case where it's probably supposed to preserver them.
> >
> > Also, I'm going to fix the incomplete test for the expportkeytab
> > --principal=<SPN> test in testprogs/blackbox/test_export_keytab_mit.sh.
>
> so here's an updated patchset that adds full testing of the exported
> keytabs and more.
>
> When working on this I noticed that our KDC doesn't allow AS-REQ with
> an SPN. Windows KDCs do allow this, so I bent it to my will. Please
> review carefully, the change is too simple, it must be wrong. :)
>
> Summary of changes:
>
> o add a minimalistic ktutil usable in selftest
>
> o check that the keytabs contains all expected enctypes, not just one
>
> o check that exporting SPNs works
>
> o allow AS-REQ with SPN
>
> o check that a kinit with SPN works
noticed some whitescape warnings when applying the patch and several
errors in commit messages.
Updated patchset attached. The code is unmodified.
-slow
-------------- next part --------------
From d02174c46b0e655278fae4b0079507d854ec7f02 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Thu, 21 Apr 2016 20:54:12 +0200
Subject: [PATCH 1/8] krb5_wrap: add enctype arg to
smb_krb5_kt_seek_and_delete_old_entries()
Unused in this commit, the next commit will use it to avoid deleting
keys with the same kvno but a different enctype.
Signed-off-by: Ralph Boehme <slow at samba.org>
---
lib/krb5_wrap/krb5_samba.c | 2 ++
lib/krb5_wrap/krb5_samba.h | 1 +
source3/libads/kerberos_keytab.c | 1 +
3 files changed, 4 insertions(+)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 247b83b..ea1f2d1 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1485,6 +1485,7 @@ krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx,
krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
krb5_keytab keytab,
krb5_kvno kvno,
+ krb5_enctype enctype,
const char *princ_s,
krb5_principal princ,
bool flush,
@@ -1694,6 +1695,7 @@ krb5_error_code smb_krb5_kt_add_entry(krb5_context context,
ret = smb_krb5_kt_seek_and_delete_old_entries(context,
keytab,
kvno,
+ enctype,
princ_s,
princ,
false,
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index f198d72..15da9a1 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -193,6 +193,7 @@ krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx,
krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
krb5_keytab keytab,
krb5_kvno kvno,
+ krb5_enctype enctype,
const char *princ_s,
krb5_principal princ,
bool flush,
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 340e552..8a3363c 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -280,6 +280,7 @@ int ads_keytab_flush(ADS_STRUCT *ads)
ret = smb_krb5_kt_seek_and_delete_old_entries(context,
keytab,
kvno,
+ KRB5_ENCTYPE_NULL,
NULL,
NULL,
true,
--
2.5.0
From e99ecc179c0677b593ff9435f436fd16f9869f49 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Thu, 21 Apr 2016 20:55:36 +0200
Subject: [PATCH 2/8] krb5_wrap: fix keep_old_entries logic in
smb_krb5_kt_seek_and_delete_old_entries()
This fixes an regression introduced in 5c5d586d3ebd40 at a higher level
in the caller smb_krb5_kt_add_entry(): calling smb_krb5_kt_add_entry
with keep_old_entries=false resulted in only one enctype per principal
remaining in the exported keytab.
The function smb_krb5_kt_seek_and_delete_old_entries() is called from
smb_krb5_kt_add_entry() when adding keys to a keytab. When the keytab
contains keys with the same kvno as the key to be added and
keep_old_entries is false, the key is deleted without checking the
encryption type of the key. This means that when adding keys for a
principal only the last enctype will be in the exported keytab.
Fix this by checking the encryption type and only treat a key as "old"
if keytab_key_kvno <= new_key_kvno and keytab_key_enctype ==
new_key_enctype.
Signed-off-by: Ralph Boehme <slow at samba.org>
---
lib/krb5_wrap/krb5_samba.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index ea1f2d1..d1e60eb 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1519,6 +1519,8 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
DEBUG(3, (__location__ ": Will try to delete old keytab entries\n"));
while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
bool name_ok = false;
+ krb5_enctype kt_entry_enctype =
+ smb_get_enctype_from_kt_entry(&kt_entry);
if (!flush && (princ_s != NULL)) {
ret = smb_krb5_unparse_name(tmp_ctx, context,
@@ -1588,6 +1590,16 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
continue;
}
+ if (!flush &&
+ (kt_entry.vno == kvno) &&
+ (kt_entry_enctype != enctype))
+ {
+ DEBUG(5, (__location__ ": Saving entry with kvno [%d] "
+ "enctype [%d] for principal: %s.\n",
+ kvno, kt_entry_enctype, princ_s));
+ continue;
+ }
+
DEBUG(5, (__location__ ": Found old entry for principal: %s "
"(kvno %d) - trying to remove it.\n",
princ_s, kt_entry.vno));
--
2.5.0
From 36dada43866df7306e7c7b00c22703bc3549ca24 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Sun, 17 Apr 2016 16:28:00 +0200
Subject: [PATCH 3/8] s4/libnet: fix exporting to keytab by SPN
Fix a regression introduced by 5c5d586d3ebd40 that broke exporting
service principals by their spn with
samba-tool exportkeytab --principal=<SPN>.
Iterating with samba_kdc_nextkey() only returns UPNs, so this can't work
with SPNs. If we want to search for a specific SPN, we have to use
samba_kdc_fetch().
Signed-off-by: Ralph Boehme <slow at samba.org>
---
source4/libnet/libnet_export_keytab.c | 39 +++++++++++++++++++++--------------
1 file changed, 23 insertions(+), 16 deletions(-)
diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c
index ee2c470..8bceecc 100644
--- a/source4/libnet/libnet_export_keytab.c
+++ b/source4/libnet/libnet_export_keytab.c
@@ -56,10 +56,27 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
goto done;
}
- for (code = samba_kdc_firstkey(context, db_ctx, &sentry);
- code == 0;
- code = samba_kdc_nextkey(context, db_ctx, &sentry)) {
- bool principal_found = false;
+ if (copy_one_principal) {
+ krb5_principal k5_princ;
+
+ code = smb_krb5_parse_name(context, principal, &k5_princ);
+ if (code != 0) {
+ *error_string = smb_get_krb5_error_message(context,
+ code,
+ mem_ctx);
+ status = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+
+ code = samba_kdc_fetch(context, db_ctx, k5_princ,
+ SDB_F_GET_ANY, 0, &sentry);
+
+ krb5_free_principal(context, k5_princ);
+ } else {
+ code = samba_kdc_firstkey(context, db_ctx, &sentry);
+ }
+
+ for (; code == 0; code = samba_kdc_nextkey(context, db_ctx, &sentry)) {
int i;
code = krb5_unparse_name(context,
@@ -73,17 +90,7 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
goto done;
}
- if (principal != NULL) {
- int cmp;
-
- cmp = strcmp(principal, entry_principal);
- if (cmp == 0) {
- principal_found = true;
- }
- }
-
- if (sentry.entry.keys.len == 0 ||
- (copy_one_principal && !principal_found)) {
+ if (sentry.entry.keys.len == 0) {
SAFE_FREE(entry_principal);
sdb_free_entry(&sentry);
sentry = (struct sdb_entry_ex) {
@@ -123,7 +130,7 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
}
}
- if (principal_found) {
+ if (copy_one_principal) {
break;
}
--
2.5.0
From cd375138f67b611ab691f104a65ec32ec4777e52 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Fri, 22 Apr 2016 22:05:54 +0200
Subject: [PATCH 4/8] s4: add a minimal ktutil for selftest
This minimalistic version of ktutil dumps all principal names and
encryption types from a keytab, eg:
./bin/samba4ktutil test.keytab
ktpassuser at HILLHOUSE.SITE (arcfour-hmac-md5)
ktpassuser at HILLHOUSE.SITE (aes256-cts-hmac-sha1-96)
ktpassuser at HILLHOUSE.SITE (aes128-cts-hmac-sha1-96)
ktpassuser at HILLHOUSE.SITE (des-cbc-md5)
ktpassuser at HILLHOUSE.SITE (des-cbc-crc)
This is all we need to run some tests against keytabs exported with
`samba-tool domain exportkeytab`.
Signed-off-by: Ralph Boehme <slow at samba.org>
---
source4/kdc/ktutil.c | 122 ++++++++++++++++++++++++++++++++++++++++++++++
source4/kdc/wscript_build | 5 ++
2 files changed, 127 insertions(+)
create mode 100644 source4/kdc/ktutil.c
diff --git a/source4/kdc/ktutil.c b/source4/kdc/ktutil.c
new file mode 100644
index 0000000..2fcd79a
--- /dev/null
+++ b/source4/kdc/ktutil.c
@@ -0,0 +1,122 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Minimal ktutil for selftest
+
+ Copyright (C) Ralph Boehme <slow at samba.org> 2016
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "krb5_wrap/krb5_samba.h"
+
+static void smb_krb5_err(TALLOC_CTX *mem_ctx,
+ krb5_context context,
+ int exit_code,
+ krb5_error_code code,
+ const char *msg)
+{
+ char *krb5_err_str = smb_get_krb5_error_message(context,
+ code,
+ mem_ctx);
+ printf("%s: %s\n", msg, krb5_err_str ? krb5_err_str : "UNKOWN");
+
+ talloc_free(mem_ctx);
+ exit(exit_code);
+}
+
+int main (int argc, char **argv)
+{
+ TALLOC_CTX *mem_ctx = talloc_init("ktutil");
+ krb5_context context;
+ krb5_keytab keytab;
+ krb5_kt_cursor cursor;
+ krb5_keytab_entry entry;
+ krb5_error_code ret;
+ char *keytab_name = NULL;
+
+ if (mem_ctx == NULL) {
+ printf("talloc_init() failed\n");
+ exit(1);
+ }
+
+ if (argc != 2) {
+ printf("Usage: %s KEYTAB\n", argv[0]);
+ exit(1);
+ }
+
+ keytab_name = argv[1];
+
+ initialize_krb5_error_table();
+
+ ret = krb5_init_context(&context);
+ if (ret) {
+ smb_krb5_err(mem_ctx, context, 1, ret, "krb5_context");
+ }
+
+ ret = smb_krb5_open_keytab_relative(context, keytab_name, false, &keytab);
+ if (ret) {
+ smb_krb5_err(mem_ctx, context, 1, ret, "open keytab");
+ }
+
+ ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if (ret) {
+ smb_krb5_err(mem_ctx, context, 1, ret, "krb5_kt_start_seq_get");
+ }
+
+ for (ret = krb5_kt_next_entry(context, keytab, &entry, &cursor);
+ ret == 0;
+ ret = krb5_kt_next_entry(context, keytab, &entry, &cursor))
+ {
+ char *principal = NULL;
+ char *enctype_str = NULL;
+ krb5_enctype enctype = smb_get_enctype_from_kt_entry(&entry);
+
+ ret = smb_krb5_unparse_name(mem_ctx,
+ context,
+ entry.principal,
+ &principal);
+ if (ret) {
+ smb_krb5_err(mem_ctx, context, 1, ret, "krb5_enctype_to_string");
+ }
+
+ ret = smb_krb5_enctype_to_string(context,
+ enctype,
+ &enctype_str);
+ if (ret) {
+ smb_krb5_err(mem_ctx, context, 1, ret, "krb5_enctype_to_string");
+ }
+
+ printf("%s (%s)\n", principal, enctype_str);
+
+ TALLOC_FREE(principal);
+ SAFE_FREE(enctype_str);
+ smb_krb5_kt_free_entry(context, &entry);
+ }
+
+ ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+ if (ret) {
+ smb_krb5_err(mem_ctx, context, 1, ret, "krb5_kt_end_seq_get");
+ }
+
+ ret = krb5_kt_close(context, keytab);
+ if (ret) {
+ smb_krb5_err(mem_ctx, context, 1, ret, "krb5_kt_close");
+ }
+
+ krb5_free_context(context);
+ talloc_free(mem_ctx);
+ return 0;
+}
diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build
index 3c9c77b..f0662e5 100755
--- a/source4/kdc/wscript_build
+++ b/source4/kdc/wscript_build
@@ -122,4 +122,9 @@ bld.SAMBA_SUBSYSTEM('MIT_SAMBA',
''',
enabled=(not bld.CONFIG_SET('SAMBA4_USES_HEIMDAL') and bld.CONFIG_SET('HAVE_KDB_H')) )
+bld.SAMBA_BINARY('samba4ktutil',
+ 'ktutil.c',
+ deps='krb5samba',
+ install=False)
+
bld.RECURSE('mit-kdb')
--
2.5.0
From 0c2ed3c5f69de120ec051efc591e38b472214b2a Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Fri, 22 Apr 2016 16:38:01 +0200
Subject: [PATCH 5/8] selftest/samba4.blackbox.export.keytab: use spn based on
fqdn
Signed-off-by: Ralph Boehme <slow at samba.org>
---
testprogs/blackbox/test_export_keytab_heimdal.sh | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh
index 736c7af..3bfd61c 100755
--- a/testprogs/blackbox/test_export_keytab_heimdal.sh
+++ b/testprogs/blackbox/test_export_keytab_heimdal.sh
@@ -23,6 +23,8 @@ samba4bindir="$BINDIR"
samba_tool="$samba4bindir/samba-tool"
newuser="$samba_tool user create"
+SERVER_FQDN="$SERVER.$(echo $REALM | tr '[:upper:]' '[:lower:]')"
+
samba4kinit=kinit
if test -x $BINDIR/samba4kinit; then
samba4kinit=$BINDIR/samba4kinit
@@ -53,8 +55,8 @@ testit "create user locally" $VALGRIND $newuser nettestuser $USERPASS $@ || fail
testit "dump keytab from domain" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
testit "dump keytab from domain (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
-testit "dump keytab from domain for cifs principal" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER $@ || failed=`expr $failed + 1`
-testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER $@ || failed=`expr $failed + 1`
+testit "dump keytab from domain for cifs principal" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
+testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
testit "dump keytab from domain for user principal" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=`expr $failed + 1`
testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=`expr $failed + 1`
--
2.5.0
From 1a89abc2245fa268691c5002d3b148d59ad0658b Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Fri, 22 Apr 2016 23:59:12 +0200
Subject: [PATCH 6/8] selftest/samba4.blackbox.export.keytab: check exported
keytabs
Now that we have a usable ktutil, actually verify that the exported
keytabs contains the keys we expect.
Signed-off-by: Ralph Boehme <slow at samba.org>
---
testprogs/blackbox/test_export_keytab_heimdal.sh | 30 ++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh
index 3bfd61c..99fd020 100755
--- a/testprogs/blackbox/test_export_keytab_heimdal.sh
+++ b/testprogs/blackbox/test_export_keytab_heimdal.sh
@@ -21,6 +21,7 @@ failed=0
samba4bindir="$BINDIR"
samba_tool="$samba4bindir/samba-tool"
+samba4ktutil="$BINDIR/samba4ktutil"
newuser="$samba_tool user create"
SERVER_FQDN="$SERVER.$(echo $REALM | tr '[:upper:]' '[:lower:]')"
@@ -48,18 +49,47 @@ test_smbclient() {
return $status
}
+test_keytab() {
+ testname="$1"
+ keytab="$2"
+ principal="$3"
+ expected_nkeys="$4"
+
+ echo "test: $testname"
+
+ NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep "des|aes|arcfour" | wc -l)
+ status=$?
+ if [ x$status != x0 ]; then
+ echo "failure: $testname"
+ return $status
+ fi
+
+ if [ x$NKEYS != x$expected_nkeys ] ; then
+ echo "failure: $testname"
+ return 1
+ fi
+ echo "success: $testname"
+ return 0
+}
+
USERPASS=testPaSS at 01%
testit "create user locally" $VALGRIND $newuser nettestuser $USERPASS $@ || failed=`expr $failed + 1`
testit "dump keytab from domain" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
+test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5
testit "dump keytab from domain (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
+test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5
testit "dump keytab from domain for cifs principal" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
+test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5
testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
+test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5
testit "dump keytab from domain for user principal" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=`expr $failed + 1`
+test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5
testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=`expr $failed + 1`
+test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5
KRB5CCNAME="$PREFIX/tmpuserccache"
export KRB5CCNAME
--
2.5.0
From 7af6fab97c2c04086d35fbb914ce14c88d94f3c8 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Sun, 24 Apr 2016 07:39:25 +0200
Subject: [PATCH 7/8] s4/heimdal: allow SPNs in AS-REQ
This allows testing keytabs with service tickets. Windows KDCs allow
this as well.
Signed-off-by: Ralph Boehme <slow at samba.org>
---
source4/heimdal/kdc/kerberos5.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 7e7aefd..3762abe 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -762,9 +762,9 @@ kdc_check_flags(krb5_context context,
return KRB5KDC_ERR_POLICY;
}
- if(!client->flags.client){
+ if (!is_as_req && !client->flags.client){
kdc_log(context, config, 0,
- "Principal may not act as client -- %s", client_name);
+ "Principal may only act as client in AS-REQ -- %s", client_name);
return KRB5KDC_ERR_POLICY;
}
@@ -1055,7 +1055,7 @@ _kdc_as_rep(krb5_context context,
*/
ret = _kdc_db_fetch(context, config, client_princ,
- HDB_F_GET_CLIENT | flags, NULL,
+ HDB_F_GET_ANY | flags, NULL,
&clientdb, &client);
if(ret == HDB_ERR_NOT_FOUND_HERE) {
kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy", client_name);
--
2.5.0
From b680993454c6a99a72149f8f6ea3dc814f0669b6 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Sun, 24 Apr 2016 07:44:12 +0200
Subject: [PATCH 8/8] selftest/samba4.blackbox.export.keytab: check AS-REQ with
SPN
Signed-off-by: Ralph Boehme <slow at samba.org>
---
testprogs/blackbox/test_export_keytab_heimdal.sh | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh
index 99fd020..6bc4b1b 100755
--- a/testprogs/blackbox/test_export_keytab_heimdal.sh
+++ b/testprogs/blackbox/test_export_keytab_heimdal.sh
@@ -107,6 +107,10 @@ export KRB5CCNAME
testit "kinit with keytab as $USERNAME" $VALGRIND $samba4kinit --keytab=$PREFIX/tmpkeytab --request-pac $USERNAME@$REALM || failed=`expr $failed + 1`
+KRB5CCNAME="$PREFIX/tmpserverccache"
+export KRB5CCNAME
+testit "kinit with SPN from keytab" $VALGRIND $samba4kinit -k -t $PREFIX/tmpkeytab-server cifs/$SERVER_FQDN || failed=`expr $failed + 1`
+
testit "del user" $VALGRIND $samba_tool user delete nettestuser -k yes $@ || failed=`expr $failed + 1`
rm -f $PREFIX/tmpadminccache $PREFIX/tmpuserccache $PREFIX/tmpkeytab $PREFIX/tmpkeytab-2 $PREFIX/tmpkeytab-server
--
2.5.0
More information about the samba-technical
mailing list