"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "source3/libads/kerberos_keytab.c" between
samba-4.12.3.tar.gz and samba-4.12.5.tar.gz

About: Samba is the standard Windows interoperability suite of programs for Linux and Unix providing secure, stable and fast file and print services for all clients using the SMB/CIFS protocol. 4.12 series.

kerberos_keytab.c  (samba-4.12.3):kerberos_keytab.c  (samba-4.12.5)
skipping to change at line 231 skipping to change at line 231
ok = false; ok = false;
goto out; goto out;
} }
} }
*p_princ_s = princ_s; *p_princ_s = princ_s;
*p_short_princ_s = short_princ_s; *p_short_princ_s = short_princ_s;
out: out:
return ok; return ok;
} }
/********************************************************************** static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx,
Adds a single service principal, i.e. 'host' to the system keytab ADS_STRUCT *ads, const char *salt_princ_s,
***********************************************************************/ krb5_keytab keytab, krb5_kvno kvno,
const char *srvPrinc, const char *my_fqdn,
int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) krb5_data *password, bool update_ads)
{ {
krb5_error_code ret = 0; krb5_error_code ret = 0;
krb5_context context = NULL; char *princ_s = NULL;
krb5_keytab keytab = NULL; char *short_princ_s = NULL;
krb5_data password; krb5_enctype enctypes[4] = {
krb5_kvno kvno;
krb5_enctype enctypes[6] = {
#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
#endif
#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
ENCTYPE_AES256_CTS_HMAC_SHA1_96, ENCTYPE_AES256_CTS_HMAC_SHA1_96,
#endif #endif
#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
#endif
ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC,
0 0
}; };
char *princ_s = NULL; size_t i;
char *short_princ_s = NULL;
char *salt_princ_s = NULL;
char *password_s = NULL;
char *my_fqdn;
TALLOC_CTX *tmpctx = NULL;
int i;
ret = smb_krb5_init_context_common(&context);
if (ret) {
DBG_ERR("kerberos init context failed (%s)\n",
error_message(ret));
return -1;
}
ret = ads_keytab_open(context, &keytab);
if (ret != 0) {
goto out;
}
/* retrieve the password */
if (!secrets_init()) {
DEBUG(1, (__location__ ": secrets_init failed\n"));
ret = -1;
goto out;
}
password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
if (!password_s) {
DEBUG(1, (__location__ ": failed to fetch machine password\n"));
ret = -1;
goto out;
}
ZERO_STRUCT(password);
password.data = password_s;
password.length = strlen(password_s);
/* we need the dNSHostName value here */
tmpctx = talloc_init(__location__);
if (!tmpctx) {
DEBUG(0, (__location__ ": talloc_init() failed!\n"));
ret = -1;
goto out;
}
my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
if (!my_fqdn) {
DEBUG(0, (__location__ ": unable to determine machine "
"account's dns name in AD!\n"));
ret = -1;
goto out;
}
/* make sure we have a single instance of a the computer account */
if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) {
DEBUG(0, (__location__ ": unable to determine machine "
"account's short name in AD!\n"));
ret = -1;
goto out;
}
/* Construct our principal */ /* Construct our principal */
if (strchr_m(srvPrinc, '@')) { if (strchr_m(srvPrinc, '@')) {
/* It's a fully-named principal. */ /* It's a fully-named principal. */
princ_s = talloc_asprintf(tmpctx, "%s", srvPrinc); princ_s = talloc_asprintf(tmpctx, "%s", srvPrinc);
if (!princ_s) { if (!princ_s) {
ret = -1; ret = -1;
goto out; goto out;
} }
} else if (srvPrinc[strlen(srvPrinc)-1] == '$') { } else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
skipping to change at line 359 skipping to change at line 299
if (!ads_set_machine_account_spns(tmpctx, if (!ads_set_machine_account_spns(tmpctx,
ads, ads,
srvPrinc, srvPrinc,
my_fqdn)) { my_fqdn)) {
ret = -1; ret = -1;
goto out; goto out;
} }
} }
} }
kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
if (kvno == -1) {
/* -1 indicates failure, everything else is OK */
DEBUG(1, (__location__ ": ads_get_machine_kvno failed to "
"determine the system's kvno.\n"));
ret = -1;
goto out;
}
salt_princ_s = kerberos_secrets_fetch_salt_princ();
if (salt_princ_s == NULL) {
DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n");
ret = -1;
goto out;
}
for (i = 0; enctypes[i]; i++) { for (i = 0; enctypes[i]; i++) {
/* add the fqdn principal to the keytab */ /* add the fqdn principal to the keytab */
ret = smb_krb5_kt_add_entry(context, ret = smb_krb5_kt_add_entry(context,
keytab, keytab,
kvno, kvno,
princ_s, princ_s,
salt_princ_s, salt_princ_s,
enctypes[i], enctypes[i],
&password, password,
false, false,
false); false);
if (ret) { if (ret) {
DEBUG(1, (__location__ ": Failed to add entry to keytab\n ")); DBG_WARNING("Failed to add entry to keytab\n");
goto out; goto out;
} }
/* add the short principal name if we have one */ /* add the short principal name if we have one */
if (short_princ_s) { if (short_princ_s) {
ret = smb_krb5_kt_add_entry(context, ret = smb_krb5_kt_add_entry(context,
keytab, keytab,
kvno, kvno,
short_princ_s, short_princ_s,
salt_princ_s, salt_princ_s,
enctypes[i], enctypes[i],
&password, password,
false, false,
false); false);
if (ret) { if (ret) {
DEBUG(1, (__location__ DBG_WARNING("Failed to add short entry to keytab\
": Failed to add short entry to keytab\ n");
n")); goto out;
}
}
}
out:
return ret;
}
/**********************************************************************
Adds a single service principal, i.e. 'host' to the system keytab
***********************************************************************/
int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
{
krb5_error_code ret = 0;
krb5_context context = NULL;
krb5_keytab keytab = NULL;
krb5_data password;
krb5_kvno kvno;
char *salt_princ_s = NULL;
char *password_s = NULL;
char *my_fqdn;
TALLOC_CTX *tmpctx = NULL;
char **hostnames_array = NULL;
size_t num_hostnames = 0;
ret = smb_krb5_init_context_common(&context);
if (ret) {
DBG_ERR("kerberos init context failed (%s)\n",
error_message(ret));
return -1;
}
ret = ads_keytab_open(context, &keytab);
if (ret != 0) {
goto out;
}
/* retrieve the password */
if (!secrets_init()) {
DBG_WARNING("secrets_init failed\n");
ret = -1;
goto out;
}
password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
if (!password_s) {
DBG_WARNING("failed to fetch machine password\n");
ret = -1;
goto out;
}
ZERO_STRUCT(password);
password.data = password_s;
password.length = strlen(password_s);
/* we need the dNSHostName value here */
tmpctx = talloc_init(__location__);
if (!tmpctx) {
DBG_ERR("talloc_init() failed!\n");
ret = -1;
goto out;
}
my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
if (!my_fqdn) {
DBG_ERR("unable to determine machine account's dns name in "
"AD!\n");
ret = -1;
goto out;
}
/* make sure we have a single instance of a the computer account */
if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) {
DBG_ERR("unable to determine machine account's short name in "
"AD!\n");
ret = -1;
goto out;
}
kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
if (kvno == -1) {
/* -1 indicates failure, everything else is OK */
DBG_WARNING("ads_get_machine_kvno failed to determine the "
"system's kvno.\n");
ret = -1;
goto out;
}
salt_princ_s = kerberos_secrets_fetch_salt_princ();
if (salt_princ_s == NULL) {
DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n");
ret = -1;
goto out;
}
ret = add_kt_entry_etypes(context, tmpctx, ads, salt_princ_s, keytab,
kvno, srvPrinc, my_fqdn, &password,
update_ads);
if (ret != 0) {
goto out;
}
if (ADS_ERR_OK(ads_get_additional_dns_hostnames(tmpctx, ads,
lp_netbios_name(),
&hostnames_array,
&num_hostnames))) {
size_t i;
for (i = 0; i < num_hostnames; i++) {
ret = add_kt_entry_etypes(context, tmpctx, ads,
salt_princ_s, keytab,
kvno, srvPrinc,
hostnames_array[i],
&password, update_ads);
if (ret != 0) {
goto out; goto out;
} }
} }
} }
out: out:
SAFE_FREE(salt_princ_s); SAFE_FREE(salt_princ_s);
TALLOC_FREE(tmpctx); TALLOC_FREE(tmpctx);
if (keytab) { if (keytab) {
 End of changes. 9 change blocks. 
94 lines changed or deleted 132 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)