return ret;
}
- entry.vno = kvno;
+ entry.vno = kvno;
for (p = 0; p < num_principals; p++) {
+ bool found = false;
+
unparsed = NULL;
entry.principal = principals[p];
+
+ ret = smb_krb5_is_exact_entry_in_keytab(parent_ctx,
+ context,
+ keytab,
+ &entry,
+ &found,
+ error_string);
+ if (ret != 0) {
+ krb5_free_keyblock_contents(context,
+ KRB5_KT_KEY(&entry));
+ return ret;
+ }
+
+ /*
+ * Do not add the exact same key twice, this
+ * will allow "samba-tool domain exportkeytab"
+ * to refresh a keytab rather than infinitely
+ * extend it
+ */
+ if (found) {
+ continue;
+ }
+
ret = krb5_kt_add_entry(context, keytab, &entry);
if (ret != 0) {
char *k5_error_string =
mem_ctx = talloc_new(parent_ctx);
if (!mem_ctx) {
*perror_string = talloc_strdup(parent_ctx,
- "unable to allocate tmp_ctx for create_keytab");
+ "unable to allocate tmp_ctx for smb_krb5_fill_keytab");
return ENOMEM;
}
ret = ms_suptypes_to_ietf_enctypes(mem_ctx, supp_enctypes, &enctypes);
if (ret) {
*perror_string = talloc_asprintf(parent_ctx,
- "create_keytab: generating list of "
+ "smb_krb5_fill_keytab: generating list of "
"encryption types failed (%s)\n",
smb_get_krb5_error_message(context,
ret, mem_ctx));
krb5_principal principal,
struct ldb_context *samdb,
struct ldb_dn *dn,
- bool include_previous,
+ bool include_historic_keys,
const char **error_string)
{
const char *gmsa_attrs[] = {
cli_credentials_set_username(cred, username, CRED_SPECIFIED);
+ /*
+ * Note that this value may not be correct, it is updated
+ * after the query that gives us the passwords
+ */
kvno = ldb_msg_find_attr_as_uint(msg, "msDS-KeyVersionNumber", 0);
cli_credentials_set_kvno(cred, kvno);
supported_enctypes = ldb_msg_find_attr_as_uint(msg,
"msDS-SupportedEncryptionTypes",
- ENC_HMAC_SHA1_96_AES256);
+ ENC_STRONG_SALTED_TYPES);
/*
* We trim this down to just the salted AES types, as the
* passwords are now wrong for rc4-hmac due to the mapping of
status = cli_credentials_set_gmsa_passwords(cred,
managed_password_blob,
+ true /* for keytab */,
error_string);
if (!NT_STATUS_IS_OK(status)) {
salt_principal = cli_credentials_get_salt_principal(cred, tmp_ctx);
if (salt_principal == NULL) {
*error_string = talloc_asprintf(mem_ctx,
- "Failed to generated salt principal for %s",
+ "Failed to generate salt principal for %s",
ldb_dn_get_linearized(msg->dn));
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
&principal,
context,
keytab,
- include_previous,
+ include_historic_keys,
error_string);
if (ret) {
*error_string = talloc_asprintf(mem_ctx,