2 Unix SMB/CIFS implementation.
3 kerberos keytab utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
8 Copyright (C) Guenther Deschner 2003,2007
9 Copyright (C) Rakesh Patel 2004
10 Copyright (C) Dan Perry 2004
11 Copyright (C) Jeremy Allison 2004
12 Copyright (C) Gerald Carter 2006
14 This program is free software; you can redistribute it and/or modify
15 it under the terms of the GNU General Public License as published by
16 the Free Software Foundation; either version 2 of the License, or
17 (at your option) any later version.
19 This program is distributed in the hope that it will be useful,
20 but WITHOUT ANY WARRANTY; without even the implied warranty of
21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 GNU General Public License for more details.
24 You should have received a copy of the GNU General Public License
25 along with this program; if not, write to the Free Software
26 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
33 /* This MAX_NAME_LEN is a constant defined in krb5.h */
34 #ifndef MAX_KEYTAB_NAME_LEN
35 #define MAX_KEYTAB_NAME_LEN 1100
38 /**********************************************************************
39 * Open a krb5 keytab with flags, handles readonly or readwrite access and
40 * allows to process non-default keytab names.
41 * @param context krb5_context
42 * @param keytab_name_req string
43 * @param write_access BOOL if writable keytab is required
44 * @param krb5_keytab pointer to krb5_keytab (close with krb5_kt_close())
45 * @return krb5_error_code
46 **********************************************************************/
48 krb5_error_code smb_krb5_open_keytab(krb5_context context,
49 const char *keytab_name_req,
53 krb5_error_code ret = 0;
55 char keytab_string[MAX_KEYTAB_NAME_LEN];
56 BOOL found_valid_name = False;
57 const char *pragma = "FILE";
58 const char *tmp = NULL;
60 if (!write_access && !keytab_name_req) {
61 /* caller just wants to read the default keytab readonly, so be it */
62 return krb5_kt_default(context, keytab);
65 mem_ctx = talloc_init("smb_krb5_open_keytab");
70 #ifdef HAVE_WRFILE_KEYTAB
76 if (keytab_name_req) {
78 if (strlen(keytab_name_req) > MAX_KEYTAB_NAME_LEN) {
79 ret = KRB5_CONFIG_NOTENUFSPACE;
83 if ((strncmp(keytab_name_req, "WRFILE:/", 8) == 0) ||
84 (strncmp(keytab_name_req, "FILE:/", 6) == 0)) {
85 tmp = keytab_name_req;
89 if (keytab_name_req[0] != '/') {
90 ret = KRB5_KT_BADNAME;
94 tmp = talloc_asprintf(mem_ctx, "%s:%s", pragma, keytab_name_req);
103 /* we need to handle more complex keytab_strings, like:
104 * "ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab" */
106 ret = krb5_kt_default_name(context, &keytab_string[0], MAX_KEYTAB_NAME_LEN - 2);
111 DEBUG(10,("smb_krb5_open_keytab: krb5_kt_default_name returned %s\n", keytab_string));
113 tmp = talloc_strdup(mem_ctx, keytab_string);
119 if (strncmp(tmp, "ANY:", 4) == 0) {
123 memset(&keytab_string, '\0', sizeof(keytab_string));
125 while (next_token(&tmp, keytab_string, ",", sizeof(keytab_string))) {
127 if (strncmp(keytab_string, "WRFILE:", 7) == 0) {
128 found_valid_name = True;
133 if (strncmp(keytab_string, "FILE:", 5) == 0) {
134 found_valid_name = True;
139 if (found_valid_name) {
142 ret = KRB5_KT_BADNAME;
146 tmp = talloc_asprintf(mem_ctx, "%s:%s", pragma, tmp);
155 if (!found_valid_name) {
156 ret = KRB5_KT_UNKNOWN_TYPE;
161 DEBUG(10,("smb_krb5_open_keytab: resolving: %s\n", tmp));
162 ret = krb5_kt_resolve(context, tmp, keytab);
165 TALLOC_FREE(mem_ctx);
169 /**********************************************************************
170 **********************************************************************/
172 static int smb_krb5_kt_add_entry( krb5_context context, krb5_keytab keytab,
173 krb5_kvno kvno, const char *princ_s,
174 krb5_enctype *enctypes, krb5_data password )
176 krb5_error_code ret = 0;
177 krb5_kt_cursor cursor;
178 krb5_keytab_entry kt_entry;
179 krb5_principal princ = NULL;
181 char *ktprinc = NULL;
183 ZERO_STRUCT(kt_entry);
186 ret = smb_krb5_parse_name(context, princ_s, &princ);
188 DEBUG(1,("smb_krb5_kt_add_entry: smb_krb5_parse_name(%s) failed (%s)\n", princ_s, error_message(ret)));
192 /* Seek and delete old keytab entries */
193 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
194 if (ret != KRB5_KT_END && ret != ENOENT ) {
195 DEBUG(3,("smb_krb5_kt_add_entry: Will try to delete old keytab entries\n"));
196 while(!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
197 BOOL compare_name_ok = False;
199 ret = smb_krb5_unparse_name(context, kt_entry.principal, &ktprinc);
201 DEBUG(1,("smb_krb5_kt_add_entry: smb_krb5_unparse_name failed (%s)\n",
202 error_message(ret)));
206 /*---------------------------------------------------------------------------
207 * Save the entries with kvno - 1. This is what microsoft does
208 * to allow people with existing sessions that have kvno - 1 to still
209 * work. Otherwise, when the password for the machine changes, all
210 * kerberizied sessions will 'break' until either the client reboots or
211 * the client's session key expires and they get a new session ticket
215 #ifdef HAVE_KRB5_KT_COMPARE
216 compare_name_ok = (krb5_kt_compare(context, &kt_entry, princ, 0, 0) == True);
218 compare_name_ok = (strcmp(ktprinc, princ_s) == 0);
221 if (!compare_name_ok) {
222 DEBUG(10,("smb_krb5_kt_add_entry: ignoring keytab entry principal %s, kvno = %d\n",
223 ktprinc, kt_entry.vno));
228 if (compare_name_ok) {
229 if (kt_entry.vno == kvno - 1) {
230 DEBUG(5,("smb_krb5_kt_add_entry: Saving previous (kvno %d) entry for principal: %s.\n",
234 DEBUG(5,("smb_krb5_kt_add_entry: Found old entry for principal: %s (kvno %d) - trying to remove it.\n",
235 princ_s, kt_entry.vno));
236 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
239 DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_end_seq_get() failed (%s)\n",
240 error_message(ret)));
243 ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
245 DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_remove_entry failed (%s)\n",
246 error_message(ret)));
250 DEBUG(5,("smb_krb5_kt_add_entry: removed old entry for principal: %s (kvno %d).\n",
251 princ_s, kt_entry.vno));
253 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
255 DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_start_seq failed (%s)\n",
256 error_message(ret)));
259 ret = smb_krb5_kt_free_entry(context, &kt_entry);
260 ZERO_STRUCT(kt_entry);
262 DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_remove_entry failed (%s)\n",
263 error_message(ret)));
270 /* Not a match, just free this entry and continue. */
271 ret = smb_krb5_kt_free_entry(context, &kt_entry);
272 ZERO_STRUCT(kt_entry);
274 DEBUG(1,("smb_krb5_kt_add_entry: smb_krb5_kt_free_entry failed (%s)\n", error_message(ret)));
279 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
282 DEBUG(1,("smb_krb5_kt_add_entry: krb5_kt_end_seq_get failed (%s)\n",error_message(ret)));
287 /* Ensure we don't double free. */
288 ZERO_STRUCT(kt_entry);
291 /* If we get here, we have deleted all the old entries with kvno's not equal to the current kvno-1. */
293 /* Now add keytab entries for all encryption types */
294 for (i = 0; enctypes[i]; i++) {
297 #if !defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) && !defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK)
298 #error krb5_keytab_entry has no key or keyblock member
300 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
301 keyp = &kt_entry.key;
303 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
304 keyp = &kt_entry.keyblock;
306 if (create_kerberos_key_from_string(context, princ, &password, keyp, enctypes[i])) {
310 kt_entry.principal = princ;
313 DEBUG(3,("smb_krb5_kt_add_entry: adding keytab entry for (%s) with encryption type (%d) and version (%d)\n",
314 princ_s, enctypes[i], kt_entry.vno));
315 ret = krb5_kt_add_entry(context, keytab, &kt_entry);
316 krb5_free_keyblock_contents(context, keyp);
317 ZERO_STRUCT(kt_entry);
319 DEBUG(1,("smb_krb5_kt_add_entry: adding entry to keytab failed (%s)\n", error_message(ret)));
327 krb5_keytab_entry zero_kt_entry;
328 ZERO_STRUCT(zero_kt_entry);
329 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
330 smb_krb5_kt_free_entry(context, &kt_entry);
334 krb5_free_principal(context, princ);
338 krb5_kt_cursor zero_csr;
339 ZERO_STRUCT(zero_csr);
340 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
341 krb5_kt_end_seq_get(context, keytab, &cursor);
349 /**********************************************************************
350 Adds a single service principal, i.e. 'host' to the system keytab
351 ***********************************************************************/
353 int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
355 krb5_error_code ret = 0;
356 krb5_context context = NULL;
357 krb5_keytab keytab = NULL;
360 krb5_enctype enctypes[4] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, 0, 0 };
361 char *princ_s = NULL, *short_princ_s = NULL;
362 char *password_s = NULL;
364 TALLOC_CTX *ctx = NULL;
367 #if defined(ENCTYPE_ARCFOUR_HMAC)
368 enctypes[2] = ENCTYPE_ARCFOUR_HMAC;
371 initialize_krb5_error_table();
372 ret = krb5_init_context(&context);
374 DEBUG(1,("ads_keytab_add_entry: could not krb5_init_context: %s\n",error_message(ret)));
378 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
380 DEBUG(1,("ads_keytab_add_entry: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
384 /* retrieve the password */
385 if (!secrets_init()) {
386 DEBUG(1,("ads_keytab_add_entry: secrets_init failed\n"));
390 password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
392 DEBUG(1,("ads_keytab_add_entry: failed to fetch machine password\n"));
396 password.data = password_s;
397 password.length = strlen(password_s);
399 /* we need the dNSHostName value here */
401 if ( (ctx = talloc_init("ads_keytab_add_entry")) == NULL ) {
402 DEBUG(0,("ads_keytab_add_entry: talloc() failed!\n"));
407 if ( (my_fqdn = ads_get_dnshostname( ads, ctx, global_myname())) == NULL ) {
408 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's dns name in AD!\n"));
413 if ( (machine_name = ads_get_samaccountname( ads, ctx, global_myname())) == NULL ) {
414 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's short name in AD!\n"));
418 /*strip the trailing '$' */
419 machine_name[strlen(machine_name)-1] = '\0';
421 /* Construct our principal */
423 if (strchr_m(srvPrinc, '@')) {
424 /* It's a fully-named principal. */
425 asprintf(&princ_s, "%s", srvPrinc);
426 } else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
427 /* It's the machine account, as used by smbclient clients. */
428 asprintf(&princ_s, "%s@%s", srvPrinc, lp_realm());
430 /* It's a normal service principal. Add the SPN now so that we
431 * can obtain credentials for it and double-check the salt value
432 * used to generate the service's keys. */
434 asprintf(&princ_s, "%s/%s@%s", srvPrinc, my_fqdn, lp_realm());
435 asprintf(&short_princ_s, "%s/%s@%s", srvPrinc, machine_name, lp_realm());
437 /* According to http://support.microsoft.com/kb/326985/en-us,
438 certain principal names are automatically mapped to the host/...
439 principal in the AD account. So only create these in the
440 keytab, not in AD. --jerry */
442 if ( !strequal( srvPrinc, "cifs" ) && !strequal(srvPrinc, "host" ) ) {
443 DEBUG(3,("ads_keytab_add_entry: Attempting to add/update '%s'\n", princ_s));
445 if (!ADS_ERR_OK(ads_add_service_principal_name(ads, global_myname(), my_fqdn, srvPrinc))) {
446 DEBUG(1,("ads_keytab_add_entry: ads_add_service_principal_name failed.\n"));
452 kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
453 if (kvno == -1) { /* -1 indicates failure, everything else is OK */
454 DEBUG(1,("ads_keytab_add_entry: ads_get_kvno failed to determine the system's kvno.\n"));
459 /* add the fqdn principal to the keytab */
461 ret = smb_krb5_kt_add_entry( context, keytab, kvno, princ_s, enctypes, password );
463 DEBUG(1,("ads_keytab_add_entry: Failed to add entry to keytab file\n"));
467 /* add the short principal name if we have one */
469 if ( short_princ_s ) {
470 ret = smb_krb5_kt_add_entry( context, keytab, kvno, short_princ_s, enctypes, password );
472 DEBUG(1,("ads_keytab_add_entry: Failed to add short entry to keytab file\n"));
478 SAFE_FREE( princ_s );
479 SAFE_FREE( short_princ_s );
483 krb5_kt_close(context, keytab);
486 krb5_free_context(context);
491 /**********************************************************************
492 Flushes all entries from the system keytab.
493 ***********************************************************************/
495 int ads_keytab_flush(ADS_STRUCT *ads)
497 krb5_error_code ret = 0;
498 krb5_context context = NULL;
499 krb5_keytab keytab = NULL;
500 krb5_kt_cursor cursor;
501 krb5_keytab_entry kt_entry;
504 ZERO_STRUCT(kt_entry);
507 initialize_krb5_error_table();
508 ret = krb5_init_context(&context);
510 DEBUG(1,("ads_keytab_flush: could not krb5_init_context: %s\n",error_message(ret)));
514 ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
516 DEBUG(1,("ads_keytab_flush: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
520 kvno = (krb5_kvno) ads_get_kvno(ads, global_myname());
521 if (kvno == -1) { /* -1 indicates a failure */
522 DEBUG(1,("ads_keytab_flush: Error determining the system's kvno.\n"));
526 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
527 if (ret != KRB5_KT_END && ret != ENOENT) {
528 while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
529 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
532 DEBUG(1,("ads_keytab_flush: krb5_kt_end_seq_get() failed (%s)\n",error_message(ret)));
535 ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
537 DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
540 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
542 DEBUG(1,("ads_keytab_flush: krb5_kt_start_seq failed (%s)\n",error_message(ret)));
545 ret = smb_krb5_kt_free_entry(context, &kt_entry);
546 ZERO_STRUCT(kt_entry);
548 DEBUG(1,("ads_keytab_flush: krb5_kt_remove_entry failed (%s)\n",error_message(ret)));
554 /* Ensure we don't double free. */
555 ZERO_STRUCT(kt_entry);
558 if (!ADS_ERR_OK(ads_clear_service_principal_names(ads, global_myname()))) {
559 DEBUG(1,("ads_keytab_flush: Error while clearing service principal listings in LDAP.\n"));
566 krb5_keytab_entry zero_kt_entry;
567 ZERO_STRUCT(zero_kt_entry);
568 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
569 smb_krb5_kt_free_entry(context, &kt_entry);
573 krb5_kt_cursor zero_csr;
574 ZERO_STRUCT(zero_csr);
575 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
576 krb5_kt_end_seq_get(context, keytab, &cursor);
580 krb5_kt_close(context, keytab);
583 krb5_free_context(context);
588 /**********************************************************************
589 Adds all the required service principals to the system keytab.
590 ***********************************************************************/
592 int ads_keytab_create_default(ADS_STRUCT *ads)
594 krb5_error_code ret = 0;
595 krb5_context context = NULL;
596 krb5_keytab keytab = NULL;
597 krb5_kt_cursor cursor;
598 krb5_keytab_entry kt_entry;
601 char *sam_account_name, *upn;
602 char **oldEntries = NULL, *princ_s[26];
603 TALLOC_CTX *ctx = NULL;
604 fstring machine_name;
606 memset(princ_s, '\0', sizeof(princ_s));
608 fstrcpy( machine_name, global_myname() );
610 /* these are the main ones we need */
612 if ( (ret = ads_keytab_add_entry(ads, "host") ) != 0 ) {
613 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.\n"));
618 #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
619 really needs them and we will fall back to verifying against secrets.tdb */
621 if ( (ret = ads_keytab_add_entry(ads, "cifs")) != 0 ) {
622 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'cifs'.\n"));
627 if ( (ctx = talloc_init("ads_keytab_create_default")) == NULL ) {
628 DEBUG(0,("ads_keytab_create_default: talloc() failed!\n"));
632 /* now add the userPrincipalName and sAMAccountName entries */
634 if ( (sam_account_name = ads_get_samaccountname( ads, ctx, machine_name)) == NULL ) {
635 DEBUG(0,("ads_keytab_add_entry: unable to determine machine account's name in AD!\n"));
640 /* upper case the sAMAccountName to make it easier for apps to
641 know what case to use in the keytab file */
643 strupper_m( sam_account_name );
645 if ( (ret = ads_keytab_add_entry(ads, sam_account_name )) != 0 ) {
646 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding sAMAccountName (%s)\n",
651 /* remember that not every machine account will have a upn */
653 upn = ads_get_upn( ads, ctx, machine_name);
655 if ( (ret = ads_keytab_add_entry(ads, upn)) != 0 ) {
656 DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding UPN (%s)\n",
665 /* Now loop through the keytab and update any other existing entries... */
667 kvno = (krb5_kvno) ads_get_kvno(ads, machine_name);
669 DEBUG(1,("ads_keytab_create_default: ads_get_kvno failed to determine the system's kvno.\n"));
673 DEBUG(3,("ads_keytab_create_default: Searching for keytab entries to "
674 "preserve and update.\n"));
676 ZERO_STRUCT(kt_entry);
679 initialize_krb5_error_table();
680 ret = krb5_init_context(&context);
682 DEBUG(1,("ads_keytab_create_default: could not krb5_init_context: %s\n",error_message(ret)));
685 ret = krb5_kt_default(context, &keytab);
687 DEBUG(1,("ads_keytab_create_default: krb5_kt_default failed (%s)\n",error_message(ret)));
691 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
692 if (ret != KRB5_KT_END && ret != ENOENT ) {
693 while ((ret = krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) == 0) {
694 smb_krb5_kt_free_entry(context, &kt_entry);
695 ZERO_STRUCT(kt_entry);
699 krb5_kt_end_seq_get(context, keytab, &cursor);
703 * Hmmm. There is no "rewind" function for the keytab. This means we have a race condition
704 * where someone else could add entries after we've counted them. Re-open asap to minimise
708 DEBUG(3, ("ads_keytab_create_default: Found %d entries in the keytab.\n", found));
712 oldEntries = SMB_MALLOC_ARRAY(char *, found );
714 DEBUG(1,("ads_keytab_create_default: Failed to allocate space to store the old keytab entries (malloc failed?).\n"));
718 memset(oldEntries, '\0', found * sizeof(char *));
720 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
721 if (ret != KRB5_KT_END && ret != ENOENT ) {
722 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
723 if (kt_entry.vno != kvno) {
724 char *ktprinc = NULL;
727 /* This returns a malloc'ed string in ktprinc. */
728 ret = smb_krb5_unparse_name(context, kt_entry.principal, &ktprinc);
730 DEBUG(1,("smb_krb5_unparse_name failed (%s)\n", error_message(ret)));
734 * From looking at the krb5 source they don't seem to take locale
735 * or mb strings into account. Maybe this is because they assume utf8 ?
736 * In this case we may need to convert from utf8 to mb charset here ? JRA.
738 p = strchr_m(ktprinc, '@');
743 p = strchr_m(ktprinc, '/');
747 for (i = 0; i < found; i++) {
748 if (!oldEntries[i]) {
749 oldEntries[i] = ktprinc;
752 if (!strcmp(oldEntries[i], ktprinc)) {
761 smb_krb5_kt_free_entry(context, &kt_entry);
762 ZERO_STRUCT(kt_entry);
765 for (i = 0; oldEntries[i]; i++) {
766 ret |= ads_keytab_add_entry(ads, oldEntries[i]);
767 SAFE_FREE(oldEntries[i]);
769 krb5_kt_end_seq_get(context, keytab, &cursor);
775 SAFE_FREE(oldEntries);
778 krb5_keytab_entry zero_kt_entry;
779 ZERO_STRUCT(zero_kt_entry);
780 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
781 smb_krb5_kt_free_entry(context, &kt_entry);
785 krb5_kt_cursor zero_csr;
786 ZERO_STRUCT(zero_csr);
787 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
788 krb5_kt_end_seq_get(context, keytab, &cursor);
792 krb5_kt_close(context, keytab);
795 krb5_free_context(context);
800 /**********************************************************************
802 ***********************************************************************/
804 int ads_keytab_list(void)
806 krb5_error_code ret = 0;
807 krb5_context context = NULL;
808 krb5_keytab keytab = NULL;
809 krb5_kt_cursor cursor;
810 krb5_keytab_entry kt_entry;
812 ZERO_STRUCT(kt_entry);
815 initialize_krb5_error_table();
816 ret = krb5_init_context(&context);
818 DEBUG(1,("ads_keytab_list: could not krb5_init_context: %s\n",error_message(ret)));
822 ret = smb_krb5_open_keytab(context, NULL, False, &keytab);
824 DEBUG(1,("ads_keytab_list: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
828 ret = krb5_kt_start_seq_get(context, keytab, &cursor);
833 printf("Vno Type Principal\n");
835 while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0) {
837 char *princ_s = NULL;
838 char *etype_s = NULL;
839 krb5_enctype enctype = 0;
841 ret = smb_krb5_unparse_name(context, kt_entry.principal, &princ_s);
846 enctype = smb_get_enctype_from_kt_entry(&kt_entry);
848 ret = smb_krb5_enctype_to_string(context, enctype, &etype_s);
854 printf("%3d %s\t\t %s\n", kt_entry.vno, etype_s, princ_s);
859 ret = smb_krb5_kt_free_entry(context, &kt_entry);
865 ret = krb5_kt_end_seq_get(context, keytab, &cursor);
870 /* Ensure we don't double free. */
871 ZERO_STRUCT(kt_entry);
876 krb5_keytab_entry zero_kt_entry;
877 ZERO_STRUCT(zero_kt_entry);
878 if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
879 smb_krb5_kt_free_entry(context, &kt_entry);
883 krb5_kt_cursor zero_csr;
884 ZERO_STRUCT(zero_csr);
885 if ((memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
886 krb5_kt_end_seq_get(context, keytab, &cursor);
891 krb5_kt_close(context, keytab);
894 krb5_free_context(context);
899 #endif /* HAVE_KRB5 */