From: Andrew Bartlett Date: Tue, 29 Nov 2011 01:47:40 +0000 (+1100) Subject: s4-samba-tool: Add --principal argument to samba-tool domain exportkeytab X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=2bff209128b85bd870ad36fa00ffcc92edbbab08;p=kai%2Fsamba.git s4-samba-tool: Add --principal argument to samba-tool domain exportkeytab This allows only a particular principal to be exported to the keytab. This is useful when setting up unix servers in a Samba controlled domain. Based on a request by Gémes Géza Andrew Bartlett Autobuild-User: Andrew Bartlett Autobuild-Date: Tue Nov 29 09:20:55 CET 2011 on sn-devel-104 --- diff --git a/source4/auth/kerberos/keytab_copy.c b/source4/auth/kerberos/keytab_copy.c index ba4ea2bf39e..d823e0219db 100644 --- a/source4/auth/kerberos/keytab_copy.c +++ b/source4/auth/kerberos/keytab_copy.c @@ -1,6 +1,8 @@ /* * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). + * Copyright (c) 2011 Andrew Bartlett + * * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -35,8 +37,6 @@ #include "system/kerberos.h" #include "auth/kerberos/kerberos.h" -static const krb5_boolean verbose_flag = FALSE; - static krb5_boolean compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b) { @@ -47,90 +47,99 @@ compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b) return TRUE; } +static krb5_error_code copy_one_entry(krb5_context context, + krb5_keytab src_keytab, krb5_keytab dst_keytab, krb5_keytab_entry entry) +{ + krb5_error_code ret; + krb5_keytab_entry dummy; + + char *name_str; + char *etype_str; + ret = krb5_unparse_name (context, entry.principal, &name_str); + if(ret) { + krb5_set_error_message(context, ret, "krb5_unparse_name"); + name_str = NULL; /* XXX */ + return ret; + } + ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str); + if(ret) { + krb5_set_error_message(context, ret, "krb5_enctype_to_string"); + etype_str = NULL; /* XXX */ + return ret; + } + ret = krb5_kt_get_entry(context, dst_keytab, + entry.principal, + entry.vno, + entry.keyblock.keytype, + &dummy); + if(ret == 0) { + /* this entry is already in the new keytab, so no need to + copy it; if the keyblocks are not the same, something + is weird, so complain about that */ + if(!compare_keyblock(&entry.keyblock, &dummy.keyblock)) { + krb5_warn(context, 0, "entry with different keyvalue " + "already exists for %s, keytype %s, kvno %d", + name_str, etype_str, entry.vno); + } + krb5_kt_free_entry(context, &dummy); + krb5_kt_free_entry (context, &entry); + free(name_str); + free(etype_str); + return ret; + } else if(ret != KRB5_KT_NOTFOUND) { + krb5_set_error_message (context, ret, "fetching %s/%s/%u", + name_str, etype_str, entry.vno); + krb5_kt_free_entry (context, &entry); + free(name_str); + free(etype_str); + return ret; + } + ret = krb5_kt_add_entry (context, dst_keytab, &entry); + krb5_kt_free_entry (context, &entry); + if (ret) { + krb5_set_error_message (context, ret, "adding %s/%s/%u", + name_str, etype_str, entry.vno); + free(name_str); + free(etype_str); + return ret; + } + free(name_str); + free(etype_str); + return ret; +} + krb5_error_code kt_copy (krb5_context context, const char *from, const char *to) { krb5_error_code ret; krb5_keytab src_keytab, dst_keytab; krb5_kt_cursor cursor; - krb5_keytab_entry entry, dummy; + krb5_keytab_entry entry; ret = krb5_kt_resolve (context, from, &src_keytab); if (ret) { - krb5_warn (context, ret, "resolving src keytab `%s'", from); - return 1; + krb5_set_error_message (context, ret, "resolving src keytab `%s'", from); + return ret; } ret = krb5_kt_resolve (context, to, &dst_keytab); if (ret) { krb5_kt_close (context, src_keytab); - krb5_warn (context, ret, "resolving dst keytab `%s'", to); - return 1; + krb5_set_error_message (context, ret, "resolving dst keytab `%s'", to); + return ret; } ret = krb5_kt_start_seq_get (context, src_keytab, &cursor); if (ret) { - krb5_warn (context, ret, "krb5_kt_start_seq_get %s", from); + krb5_set_error_message (context, ret, "krb5_kt_start_seq_get %s", from); goto out; } - if (verbose_flag) - fprintf(stderr, "copying %s to %s\n", from, to); - while((ret = krb5_kt_next_entry(context, src_keytab, &entry, &cursor)) == 0) { - char *name_str; - char *etype_str; - ret = krb5_unparse_name (context, entry.principal, &name_str); - if(ret) { - krb5_warn(context, ret, "krb5_unparse_name"); - name_str = NULL; /* XXX */ - } - ret = krb5_enctype_to_string(context, entry.keyblock.keytype, &etype_str); - if(ret) { - krb5_warn(context, ret, "krb5_enctype_to_string"); - etype_str = NULL; /* XXX */ - } - ret = krb5_kt_get_entry(context, dst_keytab, - entry.principal, - entry.vno, - entry.keyblock.keytype, - &dummy); - if(ret == 0) { - /* this entry is already in the new keytab, so no need to - copy it; if the keyblocks are not the same, something - is weird, so complain about that */ - if(!compare_keyblock(&entry.keyblock, &dummy.keyblock)) { - krb5_warnx(context, "entry with different keyvalue " - "already exists for %s, keytype %s, kvno %d", - name_str, etype_str, entry.vno); - } - krb5_kt_free_entry(context, &dummy); - krb5_kt_free_entry (context, &entry); - free(name_str); - free(etype_str); - continue; - } else if(ret != KRB5_KT_NOTFOUND) { - krb5_warn (context, ret, "%s: fetching %s/%s/%u", - to, name_str, etype_str, entry.vno); - krb5_kt_free_entry (context, &entry); - free(name_str); - free(etype_str); - break; - } - if (verbose_flag) - fprintf (stderr, "copying %s, keytype %s, kvno %d\n", name_str, - etype_str, entry.vno); - ret = krb5_kt_add_entry (context, dst_keytab, &entry); - krb5_kt_free_entry (context, &entry); + ret = copy_one_entry(context, src_keytab, dst_keytab, entry); if (ret) { - krb5_warn (context, ret, "%s: adding %s/%s/%u", - to, name_str, etype_str, entry.vno); - free(name_str); - free(etype_str); break; } - free(name_str); - free(etype_str); } krb5_kt_end_seq_get (context, src_keytab, &cursor); @@ -144,3 +153,67 @@ krb5_error_code kt_copy (krb5_context context, const char *from, const char *to) } return ret; } + +krb5_error_code kt_copy_one_principal (krb5_context context, const char *from, const char *to, + const char *principal, krb5_kvno kvno, krb5_enctype *enctypes) +{ + krb5_error_code ret; + krb5_keytab src_keytab, dst_keytab; + krb5_keytab_entry entry; + krb5_principal princ; + int i; + bool found_one = false; + + ret = krb5_parse_name (context, principal, &princ); + if(ret) { + krb5_set_error_message(context, ret, "krb5_unparse_name"); + return ret; + } + + ret = krb5_kt_resolve (context, from, &src_keytab); + if (ret) { + krb5_set_error_message(context, ret, "resolving src keytab `%s'", from); + return ret; + } + + ret = krb5_kt_resolve (context, to, &dst_keytab); + if (ret) { + krb5_kt_close (context, src_keytab); + krb5_set_error_message(context, ret, "resolving dst keytab `%s'", to); + return ret; + } + + for (i=0; enctypes[i]; i++) { + ret = krb5_kt_get_entry(context, src_keytab, + princ, + kvno, + enctypes[i], + &entry); + if (ret == KRB5_KT_NOTFOUND) { + continue; + } else if (ret) { + break; + } + found_one = true; + ret = copy_one_entry(context, src_keytab, dst_keytab, entry); + if (ret) { + break; + } + } + if (ret == KRB5_KT_NOTFOUND) { + if (!found_one) { + char *princ_string; + int ret2 = krb5_unparse_name (context, princ, &princ_string); + if (ret2) { + krb5_set_error_message(context, ret, "failed to fetch principal %s", princ_string); + } + } else { + /* Not finding an enc type is not an error, as long as we copied one for the principal */ + ret = 0; + } + } + + krb5_kt_close (context, src_keytab); + krb5_kt_close (context, dst_keytab); + return ret; +} diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c index e8a0a1321d8..2dae370b1a9 100644 --- a/source4/libnet/libnet_export_keytab.c +++ b/source4/libnet/libnet_export_keytab.c @@ -45,13 +45,29 @@ NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, s return NT_STATUS_NO_MEMORY; } - unlink(r->in.keytab_name); + if (r->in.principal) { + /* TODO: Find a way not to have to use a fixed list */ + krb5_enctype enctypes[] = { + KRB5_ENCTYPE_DES_CBC_CRC, + KRB5_ENCTYPE_DES_CBC_MD5, + KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96, + KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96, + KRB5_ENCTYPE_ARCFOUR_HMAC_MD5 + }; + ret = kt_copy_one_principal(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name, r->in.principal, 0, enctypes); + } else { + unlink(r->in.keytab_name); + ret = kt_copy(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name); + } - ret = kt_copy(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name); if(ret) { r->out.error_string = smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx); - return NT_STATUS_UNSUCCESSFUL; + if (ret == KRB5_KT_NOTFOUND) { + return NT_STATUS_NO_SUCH_USER; + } else { + return NT_STATUS_UNSUCCESSFUL; + } } return NT_STATUS_OK; } diff --git a/source4/libnet/libnet_export_keytab.h b/source4/libnet/libnet_export_keytab.h index 194f8907a30..289d19c7a69 100644 --- a/source4/libnet/libnet_export_keytab.h +++ b/source4/libnet/libnet_export_keytab.h @@ -20,6 +20,7 @@ struct libnet_export_keytab { struct { const char *keytab_name; + const char *principal; } in; struct { const char *error_string; diff --git a/source4/libnet/py_net.c b/source4/libnet/py_net.c index 7c90572e126..cf37ccc3807 100644 --- a/source4/libnet/py_net.c +++ b/source4/libnet/py_net.c @@ -188,11 +188,13 @@ static PyObject *py_net_export_keytab(py_net_Object *self, PyObject *args, PyObj { struct libnet_export_keytab r; TALLOC_CTX *mem_ctx; - const char *kwnames[] = { "keytab", NULL }; + const char *kwnames[] = { "keytab", "principal", NULL }; NTSTATUS status; + r.in.principal = NULL; - if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s:export_keytab", discard_const_p(char *, kwnames), - &r.in.keytab_name)) { + if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s|z:export_keytab", discard_const_p(char *, kwnames), + &r.in.keytab_name, + &r.in.principal)) { return NULL; } diff --git a/source4/scripting/python/samba/netcmd/domain.py b/source4/scripting/python/samba/netcmd/domain.py index a41a9d67345..88d0d703201 100644 --- a/source4/scripting/python/samba/netcmd/domain.py +++ b/source4/scripting/python/samba/netcmd/domain.py @@ -66,14 +66,15 @@ class cmd_domain_export_keytab(Command): synopsis = "%prog [options]" takes_options = [ + Option("--principal", help="extract only this principal", type=str), ] takes_args = ["keytab"] - def run(self, keytab, credopts=None, sambaopts=None, versionopts=None): + def run(self, keytab, credopts=None, sambaopts=None, versionopts=None, principal=None): lp = sambaopts.get_loadparm() - net = Net(None, lp, server=credopts.ipaddress) - net.export_keytab(keytab=keytab) + net = Net(None, lp) + net.export_keytab(keytab=keytab, principal=principal) class cmd_domain_info(Command): """Print basic info about a domain and the DC passed as parameter""" diff --git a/testprogs/blackbox/test_export_keytab.sh b/testprogs/blackbox/test_export_keytab.sh index 7c637042d45..a2debfef1cf 100755 --- a/testprogs/blackbox/test_export_keytab.sh +++ b/testprogs/blackbox/test_export_keytab.sh @@ -49,6 +49,12 @@ testit "create user locally" $VALGRIND $newuser nettestuser $USERPASS $@ || fail testit "dump keytab from domain" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1` testit "dump keytab from domain (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1` +testit "dump keytab from domain for cifs principal" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER $@ || failed=`expr $failed + 1` +testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER $@ || failed=`expr $failed + 1` + +testit "dump keytab from domain for user principal" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=`expr $failed + 1` +testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=`expr $failed + 1` + KRB5CCNAME="$PREFIX/tmpuserccache" export KRB5CCNAME @@ -56,6 +62,10 @@ testit "kinit with keytab as user" $VALGRIND $samba4kinit --keytab=$PREFIX/tmpke test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1` +testit "kinit with keytab as user (2)" $VALGRIND $samba4kinit --keytab=$PREFIX/tmpkeytab-2 --request-pac nettestuser@$REALM || failed=`expr $failed + 1` + +test_smbclient "Test login with user kerberos ccache as user (2)" 'ls' -k yes || failed=`expr $failed + 1` + KRB5CCNAME="$PREFIX/tmpadminccache" export KRB5CCNAME @@ -63,5 +73,5 @@ testit "kinit with keytab as $USERNAME" $VALGRIND $samba4kinit --keytab=$PREFIX/ testit "del user" $VALGRIND $samba_tool user delete nettestuser -k yes $@ || failed=`expr $failed + 1` -rm -f $PREFIX/tmpadminccache $PREFIX/tmpuserccache $PREFIX/tmpkeytab +rm -f $PREFIX/tmpadminccache $PREFIX/tmpuserccache $PREFIX/tmpkeytab $PREFIX/tmpkeytab-2 $PREFIX/tmpkeytab-server exit $failed