s3:utils: let smbstatus report anonymous signing/encryption explicitly

[samba.git] / source4 / auth / kerberos / srv_keytab.c

diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c
index 2af3f15c47bc35aef0e3db0f2c949159c65e6dec..875d06971cc2dfd849776f583f60c7dec11514e4 100644 (file)
--- a/source4/auth/kerberos/srv_keytab.c
+++ b/source4/auth/kerberos/srv_keytab.c
@@ -84,11 +84,36 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
                        return ret;
                }
 
-                entry.vno = kvno;
+               entry.vno = kvno;
 
                for (p = 0; p < num_principals; p++) {
+                       bool found = false;
+
                        unparsed = NULL;
                        entry.principal = principals[p];
+
+                       ret = smb_krb5_is_exact_entry_in_keytab(parent_ctx,
+                                                               context,
+                                                               keytab,
+                                                               &entry,
+                                                               &found,
+                                                               error_string);
+                       if (ret != 0) {
+                               krb5_free_keyblock_contents(context,
+                                                           KRB5_KT_KEY(&entry));
+                               return ret;
+                       }
+
+                       /*
+                        * Do not add the exact same key twice, this
+                        * will allow "samba-tool domain exportkeytab"
+                        * to refresh a keytab rather than infinitely
+                        * extend it
+                        */
+                       if (found) {
+                               continue;
+                       }
+
                        ret = krb5_kt_add_entry(context, keytab, &entry);
                        if (ret != 0) {
                                char *k5_error_string =
@@ -148,7 +173,7 @@ static krb5_error_code smb_krb5_fill_keytab(TALLOC_CTX *parent_ctx,
        mem_ctx = talloc_new(parent_ctx);
        if (!mem_ctx) {
                *perror_string = talloc_strdup(parent_ctx,
-                       "unable to allocate tmp_ctx for create_keytab");
+                       "unable to allocate tmp_ctx for smb_krb5_fill_keytab");
                return ENOMEM;
        }
 
@@ -166,7 +191,7 @@ static krb5_error_code smb_krb5_fill_keytab(TALLOC_CTX *parent_ctx,
        ret = ms_suptypes_to_ietf_enctypes(mem_ctx, supp_enctypes, &enctypes);
        if (ret) {
                *perror_string = talloc_asprintf(parent_ctx,
-                                       "create_keytab: generating list of "
+                                       "smb_krb5_fill_keytab: generating list of "
                                        "encryption types failed (%s)\n",
                                        smb_get_krb5_error_message(context,
                                                                ret, mem_ctx));
@@ -206,7 +231,7 @@ NTSTATUS smb_krb5_fill_keytab_gmsa_keys(TALLOC_CTX *mem_ctx,
                                        krb5_principal principal,
                                        struct ldb_context *samdb,
                                        struct ldb_dn *dn,
-                                       bool include_previous,
+                                       bool include_historic_keys,
                                        const char **error_string)
 {
        const char *gmsa_attrs[] = {
@@ -316,13 +341,17 @@ NTSTATUS smb_krb5_fill_keytab_gmsa_keys(TALLOC_CTX *mem_ctx,
 
        cli_credentials_set_username(cred, username, CRED_SPECIFIED);
 
+       /*
+        * Note that this value may not be correct, it is updated
+        * after the query that gives us the passwords
+        */
        kvno = ldb_msg_find_attr_as_uint(msg, "msDS-KeyVersionNumber", 0);
 
        cli_credentials_set_kvno(cred, kvno);
 
        supported_enctypes = ldb_msg_find_attr_as_uint(msg,
                                                       "msDS-SupportedEncryptionTypes",
-                                                      ENC_HMAC_SHA1_96_AES256);
+                                                      ENC_STRONG_SALTED_TYPES);
        /*
         * We trim this down to just the salted AES types, as the
         * passwords are now wrong for rc4-hmac due to the mapping of
@@ -339,6 +368,7 @@ NTSTATUS smb_krb5_fill_keytab_gmsa_keys(TALLOC_CTX *mem_ctx,
 
        status = cli_credentials_set_gmsa_passwords(cred,
                                                    managed_password_blob,
+                                                   true /* for keytab */,
                                                    error_string);
 
        if (!NT_STATUS_IS_OK(status)) {
@@ -357,7 +387,7 @@ NTSTATUS smb_krb5_fill_keytab_gmsa_keys(TALLOC_CTX *mem_ctx,
        salt_principal = cli_credentials_get_salt_principal(cred, tmp_ctx);
        if (salt_principal == NULL) {
                *error_string = talloc_asprintf(mem_ctx,
-                                               "Failed to generated salt principal for %s",
+                                               "Failed to generate salt principal for %s",
                                                ldb_dn_get_linearized(msg->dn));
                TALLOC_FREE(tmp_ctx);
                return NT_STATUS_NO_MEMORY;
@@ -373,7 +403,7 @@ NTSTATUS smb_krb5_fill_keytab_gmsa_keys(TALLOC_CTX *mem_ctx,
                                   &principal,
                                   context,
                                   keytab,
-                                  include_previous,
+                                  include_historic_keys,
                                   error_string);
        if (ret) {
                *error_string = talloc_asprintf(mem_ctx,