samba-tool domain exportkeytab: Refuse to overwrite an existing file in full-db export

Since 87f67d336919172845f53067c67d1eab8e7ef18a samba-tool domain exportkeytab has
silently unlinked the given target file.  Instead, the administrator now needs
to specify a file that does not exist.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

diff --git a/selftest/knownfail.d/export-keytab b/selftest/knownfail.d/export-keytab
index 9fa9aad7f4965cba13a9becc51b365f46be6fc42..34c16072f5a2dd5499bc8ed6e0d9aa3295dcd662 100644 (file)
--- a/selftest/knownfail.d/export-keytab
+++ b/selftest/knownfail.d/export-keytab
@@ -1,3 +1 @@
-^samba.tests.dckeytab.samba.tests.dckeytab.DCKeytabTests.test_export_keytab_existing
-^samba.tests.dckeytab.samba.tests.dckeytab.DCKeytabTests.test_export_keytab_not_a_dir
 ^samba.tests.dckeytab.samba.tests.dckeytab.DCKeytabTests.test_export_keytab_change3_update_keep

diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c
index a049751fb4f5b1cb0326098ff4afe48438b4a2f4..76299eb2c38acaa900695fb3c12598bb6b27713c 100644 (file)
--- a/source4/libnet/libnet_export_keytab.c
+++ b/source4/libnet/libnet_export_keytab.c
@@ -294,7 +294,26 @@ NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, s
        } else {
                DEBUG(0, ("Export complete keytab to %s\n", r->in.keytab_name));
                if (!keep_stale_entries) {
-                       unlink(r->in.keytab_name);
+                       struct stat st;
+                       int stat_ret = stat(r->in.keytab_name, &st);
+                       if (stat_ret == -1 && errno == ENOENT) {
+                               /* continue */
+                       } else if (stat_ret == -1) {
+                               int errno_save = errno;
+                               r->out.error_string
+                                       = talloc_asprintf(mem_ctx,
+                                                         "Failure checking if keytab export location %s is an existing file: %s",
+                                                         r->in.keytab_name,
+                                                         strerror(errno_save));
+                               return map_nt_error_from_unix_common(errno_save);
+                       } else {
+                               r->out.error_string
+                                       = talloc_asprintf(mem_ctx,
+                                                         "Refusing to export keytab to existing file %s",
+                                                         r->in.keytab_name);
+                               return NT_STATUS_OBJECT_NAME_EXISTS;
+                       }
+
                        /*
                         * No point looking for old
                         * keys in a empty file

diff --git a/testprogs/blackbox/test_kinit_export_keytab.sh b/testprogs/blackbox/test_kinit_export_keytab.sh
index e520a1c0a2d1c33d75143ba29c010bf87f733020..204a756c7a15e1a91b1b2a53d07ac2c43e4755fb 100755 (executable)
--- a/testprogs/blackbox/test_kinit_export_keytab.sh
+++ b/testprogs/blackbox/test_kinit_export_keytab.sh
@@ -131,6 +131,7 @@ test_keytab "read keytab from domain" \
 
 testit "dump keytab from domain (2nd time)" \
        "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
+       --keep-stale-entries \
        "${PREFIX}/tmpkeytab-all" "${CONFIGURATION}" "$@" || \
        failed=$((failed + 1))