static krb5_error_code libnet_keytab_add_entry(krb5_context context,
krb5_keytab keytab,
krb5_kvno kvno,
const char *princ_s,
krb5_enctype enctype,
krb5_data password)
{
krb5_keyblock *keyp;
krb5_keytab_entry kt_entry;
krb5_error_code ret;
/* remove duplicates first ... */
ret = libnet_keytab_remove_entries(context, keytab, princ_s, kvno,
enctype, false);
if (ret) {
DEBUG(1, ("libnet_keytab_remove_entries failed: %s\n",
error_message(ret)));
}
ZERO_STRUCT(kt_entry);
kt_entry.vno = kvno;
ret = smb_krb5_parse_name(context, princ_s, &kt_entry.principal);
if (ret) {
DEBUG(1, ("smb_krb5_parse_name(%s) failed (%s)\n",
princ_s, error_message(ret)));
return ret;
}
keyp = KRB5_KT_KEY(&kt_entry);
if (create_kerberos_key_from_string(context, kt_entry.principal,
&password, keyp, enctype, true))
{
ret = KRB5KRB_ERR_GENERIC;
goto done;
}
ret = krb5_kt_add_entry(context, keytab, &kt_entry);
if (ret) {
DEBUG(1, ("adding entry to keytab failed (%s)\n",
error_message(ret)));
}
done:
krb5_free_keyblock_contents(context, keyp);
krb5_free_principal(context, kt_entry.principal);
ZERO_STRUCT(kt_entry);
smb_krb5_kt_free_entry(context, &kt_entry);
return ret;
}
int main (int argc, char **argv)
{
TALLOC_CTX *mem_ctx = talloc_init("ktutil");
krb5_context context;
krb5_keytab keytab;
krb5_kt_cursor cursor;
krb5_keytab_entry entry;
krb5_error_code ret;
char *keytab_name = NULL;
if (mem_ctx == NULL) {
printf("talloc_init() failed\n");
exit(1);
}
if (argc != 2) {
printf("Usage: %s KEYTAB\n", argv[0]);
exit(1);
}
keytab_name = argv[1];
initialize_krb5_error_table();
ret = krb5_init_context(&context);
if (ret) {
smb_krb5_err(mem_ctx, context, 1, ret, "krb5_context");
}
ret = smb_krb5_open_keytab_relative(context, keytab_name, false, &keytab);
if (ret) {
smb_krb5_err(mem_ctx, context, 1, ret, "open keytab");
}
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
if (ret) {
smb_krb5_err(mem_ctx, context, 1, ret, "krb5_kt_start_seq_get");
}
for (ret = krb5_kt_next_entry(context, keytab, &entry, &cursor);
ret == 0;
ret = krb5_kt_next_entry(context, keytab, &entry, &cursor))
{
char *principal = NULL;
char *enctype_str = NULL;
krb5_enctype enctype = smb_get_enctype_from_kt_entry(&entry);
ret = smb_krb5_unparse_name(mem_ctx,
context,
entry.principal,
&principal);
if (ret) {
smb_krb5_err(mem_ctx, context, 1, ret, "krb5_enctype_to_string");
}
ret = smb_krb5_enctype_to_string(context,
enctype,
&enctype_str);
if (ret) {
smb_krb5_err(mem_ctx, context, 1, ret, "krb5_enctype_to_string");
}
printf("%s (%s)\n", principal, enctype_str);
TALLOC_FREE(principal);
SAFE_FREE(enctype_str);
smb_krb5_kt_free_entry(context, &entry);
}
ret = krb5_kt_end_seq_get(context, keytab, &cursor);
if (ret) {
smb_krb5_err(mem_ctx, context, 1, ret, "krb5_kt_end_seq_get");
}
ret = krb5_kt_close(context, keytab);
if (ret) {
smb_krb5_err(mem_ctx, context, 1, ret, "krb5_kt_close");
}
krb5_free_context(context);
talloc_free(mem_ctx);
return 0;
}
static bool ads_keytab_verify_ticket(krb5_context context,
krb5_auth_context auth_context,
const DATA_BLOB *ticket,
krb5_ticket **pp_tkt,
krb5_keyblock **keyblock,
krb5_error_code *perr)
{
krb5_error_code ret = 0;
bool auth_ok = False;
krb5_keytab keytab = NULL;
krb5_kt_cursor kt_cursor;
krb5_keytab_entry kt_entry;
char *valid_princ_formats[7] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL };
char *entry_princ_s = NULL;
fstring my_name, my_fqdn;
int i;
int number_matched_principals = 0;
krb5_data packet;
*pp_tkt = NULL;
*keyblock = NULL;
*perr = 0;
/* Generate the list of principal names which we expect
* clients might want to use for authenticating to the file
* service. We allow name$,{host,cifs}/{name,fqdn,name.REALM}. */
fstrcpy(my_name, global_myname());
my_fqdn[0] = '\0';
name_to_fqdn(my_fqdn, global_myname());
if (asprintf(&valid_princ_formats[0], "%s$@%s", my_name, lp_realm()) == -1) {
goto out;
}
if (asprintf(&valid_princ_formats[1], "host/%s@%s", my_name, lp_realm()) == -1) {
goto out;
}
if (asprintf(&valid_princ_formats[2], "host/%s@%s", my_fqdn, lp_realm()) == -1) {
goto out;
}
if (asprintf(&valid_princ_formats[3], "host/%s.%s@%s", my_name, lp_realm(), lp_realm()) == -1) {
goto out;
}
if (asprintf(&valid_princ_formats[4], "cifs/%s@%s", my_name, lp_realm()) == -1) {
goto out;
}
if (asprintf(&valid_princ_formats[5], "cifs/%s@%s", my_fqdn, lp_realm()) == -1) {
goto out;
}
if (asprintf(&valid_princ_formats[6], "cifs/%s.%s@%s", my_name, lp_realm(), lp_realm()) == -1) {
goto out;
}
ZERO_STRUCT(kt_entry);
ZERO_STRUCT(kt_cursor);
ret = smb_krb5_open_keytab(context, NULL, False, &keytab);
if (ret) {
DEBUG(1, ("ads_keytab_verify_ticket: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
goto out;
}
/* Iterate through the keytab. For each key, if the principal
* name case-insensitively matches one of the allowed formats,
* try verifying the ticket using that principal. */
ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor);
if (ret) {
DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n", error_message(ret)));
goto out;
}
while (!auth_ok && (krb5_kt_next_entry(context, keytab, &kt_entry, &kt_cursor) == 0)) {
ret = smb_krb5_unparse_name(context, kt_entry.principal, &entry_princ_s);
if (ret) {
DEBUG(1, ("ads_keytab_verify_ticket: smb_krb5_unparse_name failed (%s)\n",
error_message(ret)));
goto out;
}
for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
if (!strequal(entry_princ_s, valid_princ_formats[i])) {
continue;
}
number_matched_principals++;
packet.length = ticket->length;
packet.data = (char *)ticket->data;
*pp_tkt = NULL;
ret = krb5_rd_req_return_keyblock_from_keytab(context, &auth_context, &packet,
kt_entry.principal, keytab,
NULL, pp_tkt, keyblock);
if (ret) {
DEBUG(10,("ads_keytab_verify_ticket: "
"krb5_rd_req_return_keyblock_from_keytab(%s) failed: %s\n",
entry_princ_s, error_message(ret)));
/* workaround for MIT:
* as krb5_ktfile_get_entry will explicitly
* close the krb5_keytab as soon as krb5_rd_req
* has successfully decrypted the ticket but the
* ticket is not valid yet (due to clockskew)
* there is no point in querying more keytab
* entries - Guenther */
if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
ret == KRB5KRB_AP_ERR_SKEW) {
break;
}
} else {
DEBUG(3,("ads_keytab_verify_ticket: "
"krb5_rd_req_return_keyblock_from_keytab succeeded for principal %s\n",
entry_princ_s));
auth_ok = True;
break;
}
}
/* Free the name we parsed. */
SAFE_FREE(entry_princ_s);
/* Free the entry we just read. */
smb_krb5_kt_free_entry(context, &kt_entry);
ZERO_STRUCT(kt_entry);
}
krb5_kt_end_seq_get(context, keytab, &kt_cursor);
ZERO_STRUCT(kt_cursor);
out:
for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
SAFE_FREE(valid_princ_formats[i]);
}
if (!auth_ok) {
if (!number_matched_principals) {
DEBUG(3, ("ads_keytab_verify_ticket: no keytab principals matched expected file service name.\n"));
} else {
DEBUG(3, ("ads_keytab_verify_ticket: krb5_rd_req failed for all %d matched keytab principals\n",
number_matched_principals));
}
}
SAFE_FREE(entry_princ_s);
{
krb5_keytab_entry zero_kt_entry;
ZERO_STRUCT(zero_kt_entry);
if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
smb_krb5_kt_free_entry(context, &kt_entry);
}
}
{
krb5_kt_cursor zero_csr;
ZERO_STRUCT(zero_csr);
if ((memcmp(&kt_cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
krb5_kt_end_seq_get(context, keytab, &kt_cursor);
}
}
if (keytab) {
krb5_kt_close(context, keytab);
}
*perr = ret;
return auth_ok;
}
struct libnet_keytab_entry *libnet_keytab_search(struct libnet_keytab_context *ctx,
const char *principal,
int kvno,
const krb5_enctype enctype,
TALLOC_CTX *mem_ctx)
{
krb5_error_code ret = 0;
krb5_kt_cursor cursor;
krb5_keytab_entry kt_entry;
struct libnet_keytab_entry *entry = NULL;
ZERO_STRUCT(kt_entry);
ZERO_STRUCT(cursor);
ret = krb5_kt_start_seq_get(ctx->context, ctx->keytab, &cursor);
if (ret) {
DEBUG(10, ("krb5_kt_start_seq_get failed: %s\n",
error_message(ret)));
return NULL;
}
while (krb5_kt_next_entry(ctx->context, ctx->keytab, &kt_entry, &cursor) == 0)
{
krb5_keyblock *keyp;
char *princ_s = NULL;
entry = NULL;
if (kt_entry.vno != kvno) {
goto cont;
}
keyp = KRB5_KT_KEY(&kt_entry);
if (KRB5_KEY_TYPE(keyp) != enctype) {
goto cont;
}
entry = talloc_zero(mem_ctx, struct libnet_keytab_entry);
if (!entry) {
DEBUG(3, ("talloc failed\n"));
goto fail;
}
ret = smb_krb5_unparse_name(entry, ctx->context, kt_entry.principal,
&princ_s);
if (ret) {
goto cont;
}
if (strcmp(principal, princ_s) != 0) {
goto cont;
}
entry->principal = talloc_strdup(entry, princ_s);
if (!entry->principal) {
DEBUG(3, ("talloc_strdup_failed\n"));
goto fail;
}
entry->name = talloc_move(entry, &princ_s);
entry->password = data_blob_talloc(entry, KRB5_KEY_DATA(keyp),
KRB5_KEY_LENGTH(keyp));
if (!entry->password.data) {
DEBUG(3, ("data_blob_talloc failed\n"));
goto fail;
}
DEBUG(10, ("found entry\n"));
smb_krb5_kt_free_entry(ctx->context, &kt_entry);
break;
fail:
smb_krb5_kt_free_entry(ctx->context, &kt_entry);
TALLOC_FREE(entry);
break;
cont:
smb_krb5_kt_free_entry(ctx->context, &kt_entry);
TALLOC_FREE(entry);
continue;
}
krb5_kt_end_seq_get(ctx->context, ctx->keytab, &cursor);
return entry;
}
/**
* Remove all entries that have the given principal, kvno and enctype.
*/
static krb5_error_code libnet_keytab_remove_entries(krb5_context context,
krb5_keytab keytab,
const char *principal,
int kvno,
const krb5_enctype enctype,
bool ignore_kvno)
{
krb5_error_code ret;
krb5_kt_cursor cursor;
krb5_keytab_entry kt_entry;
ZERO_STRUCT(kt_entry);
ZERO_STRUCT(cursor);
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
if (ret) {
return 0;
}
while (krb5_kt_next_entry(context, keytab, &kt_entry, &cursor) == 0)
{
krb5_keyblock *keyp;
char *princ_s = NULL;
if (kt_entry.vno != kvno && !ignore_kvno) {
goto cont;
}
keyp = KRB5_KT_KEY(&kt_entry);
if (KRB5_KEY_TYPE(keyp) != enctype) {
goto cont;
}
ret = smb_krb5_unparse_name(talloc_tos(), context, kt_entry.principal,
&princ_s);
if (ret) {
DEBUG(5, ("smb_krb5_unparse_name failed (%s)\n",
error_message(ret)));
goto cont;
}
if (strcmp(principal, princ_s) != 0) {
goto cont;
}
/* match found - remove */
DEBUG(10, ("found entry for principal %s, kvno %d, "
"enctype %d - trying to remove it\n",
princ_s, kt_entry.vno, KRB5_KEY_TYPE(keyp)));
ret = krb5_kt_end_seq_get(context, keytab, &cursor);
ZERO_STRUCT(cursor);
if (ret) {
DEBUG(5, ("krb5_kt_end_seq_get failed (%s)\n",
error_message(ret)));
goto cont;
}
ret = krb5_kt_remove_entry(context, keytab,
&kt_entry);
if (ret) {
DEBUG(5, ("krb5_kt_remove_entry failed (%s)\n",
error_message(ret)));
goto cont;
}
DEBUG(10, ("removed entry for principal %s, kvno %d, "
"enctype %d\n", princ_s, kt_entry.vno,
KRB5_KEY_TYPE(keyp)));
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
if (ret) {
DEBUG(5, ("krb5_kt_start_seq_get failed (%s)\n",
error_message(ret)));
goto cont;
}
cont:
smb_krb5_kt_free_entry(context, &kt_entry);
TALLOC_FREE(princ_s);
}
ret = krb5_kt_end_seq_get(context, keytab, &cursor);
if (ret) {
DEBUG(5, ("krb5_kt_end_seq_get failed (%s)\n",
error_message(ret)));
}
return ret;
}
static BOOL ads_keytab_verify_ticket(krb5_context context,
krb5_auth_context auth_context,
const DATA_BLOB *ticket,
krb5_ticket **pp_tkt,
krb5_keyblock **keyblock,
krb5_error_code *perr)
{
krb5_error_code ret = 0;
BOOL auth_ok = False;
krb5_keytab keytab = NULL;
krb5_kt_cursor kt_cursor;
krb5_keytab_entry kt_entry;
char *valid_princ_formats[9];
fstring my_name, my_fqdn;
int i;
const char * lkdc_realm = lp_parm_talloc_string(GLOBAL_SECTION_SNUM,
"com.apple", "lkdc realm", NULL);
ZERO_ARRAY(valid_princ_formats);
*pp_tkt = NULL;
*keyblock = NULL;
*perr = 0;
/* Generate the list of principal names which we expect
* clients might want to use for authenticating to the file
* service. We allow name$,{host,cifs}/{name,fqdn,name.REALM}. */
fstrcpy(my_name, global_myname());
my_fqdn[0] = '\0';
get_mydnsfullname(my_fqdn);
asprintf(&valid_princ_formats[0], "%s$@%s", my_name, lp_realm());
asprintf(&valid_princ_formats[1], "host/%s@%s", my_name, lp_realm());
asprintf(&valid_princ_formats[2], "host/%s@%s", my_fqdn, lp_realm());
asprintf(&valid_princ_formats[3], "host/%s.%s@%s", my_name, lp_realm(), lp_realm());
asprintf(&valid_princ_formats[4], "cifs/%s@%s", my_name, lp_realm());
asprintf(&valid_princ_formats[5], "cifs/%s@%s", my_fqdn, lp_realm());
asprintf(&valid_princ_formats[6], "cifs/%s.%s@%s", my_name, lp_realm(), lp_realm());
if (lkdc_realm) {
asprintf(&valid_princ_formats[7],
"host/%s@%s", lkdc_realm, lkdc_realm);
asprintf(&valid_princ_formats[8],
"cifs/%s@%s", lkdc_realm, lkdc_realm);
}
for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
ZERO_STRUCT(kt_entry);
ZERO_STRUCT(kt_cursor);
ret = krb5_kt_default(context, &keytab);
if (ret) {
DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_default failed (%s)\n", error_message(ret)));
goto out;
}
/* Iterate through the keytab. For each key, if the principal
* name case-insensitively matches one of the allowed formats,
* try verifying the ticket using that principal.
*/
ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor);
if (ret) {
DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n", error_message(ret)));
goto out;
}
while (!auth_ok && (krb5_kt_next_entry(context, keytab, &kt_entry, &kt_cursor) == 0)) {
/* In MIT Kerberos, it is not legal to interleave krb5_rd_req()
* with krb5_kt_start_seq_get() and krb5_kt_end_seq_get() on the
* same krb5_keytab object. We have to keep a separate
* krb5_keytab object around for the krb5_rd_req().
*/
ret = ads_keytab_verify_for_principal(context,
auth_context, &kt_entry, ticket,
valid_princ_formats[i], pp_tkt, keyblock);
if (ret == 0) {
auth_ok = True;
}
/* Free the entry we just read. */
smb_krb5_kt_free_entry(context, &kt_entry);
ZERO_STRUCT(kt_entry);
if (auth_ok) {
/* success, let's go. */
break;
}
/* workaround for MIT:
* as krb5_ktfile_get_entry will explicitly
* close the krb5_keytab as soon as krb5_rd_req
* has sucessfully decrypted the ticket but the
* ticket is not valid yet (due to clockskew)
* there is no point in querying more keytab
* entries - Guenther */
if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
ret == KRB5KRB_AP_ERR_SKEW ||
ret == KRB5KRB_AP_ERR_REPEAT) {
break;
}
}
krb5_kt_end_seq_get(context, keytab, &kt_cursor);
krb5_kt_close(context, keytab);
keytab = NULL;
}
ZERO_STRUCT(kt_cursor);
out:
TALLOC_FREE(lkdc_realm);
for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
SAFE_FREE(valid_princ_formats[i]);
}
{
krb5_keytab_entry zero_kt_entry;
ZERO_STRUCT(zero_kt_entry);
if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
smb_krb5_kt_free_entry(context, &kt_entry);
}
}
{
krb5_kt_cursor zero_csr;
ZERO_STRUCT(zero_csr);
if ((memcmp(&kt_cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
krb5_kt_end_seq_get(context, keytab, &kt_cursor);
}
}
if (keytab) {
krb5_kt_close(context, keytab);
}
*perr = ret;
return auth_ok;
}
static krb5_error_code
get_key_from_keytab(krb5_context context,
krb5_const_principal server,
krb5_enctype enctype,
krb5_kvno kvno,
krb5_keyblock **out_key)
{
krb5_keytab_entry entry;
krb5_error_code ret;
krb5_keytab keytab;
char *name = NULL;
/* We have to open a new keytab handle here, as MIT does
an implicit open/getnext/close on krb5_kt_get_entry. We
may be in the middle of a keytab enumeration when this is
called. JRA. */
ret = krb5_kt_default(context, &keytab);
if (ret) {
DEBUG(0,("get_key_from_keytab: failed to open keytab: %s\n", error_message(ret)));
return ret;
}
if ( DEBUGLEVEL >= 10 ) {
if (smb_krb5_unparse_name(context, server, &name) == 0) {
DEBUG(10,("get_key_from_keytab: will look for kvno %d, enctype %d and name: %s\n",
kvno, enctype, name));
SAFE_FREE(name);
}
}
ret = krb5_kt_get_entry(context,
keytab,
server,
kvno,
enctype,
&entry);
if (ret) {
DEBUG(0,("get_key_from_keytab: failed to retrieve key: %s\n", error_message(ret)));
goto out;
}
#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
ret = krb5_copy_keyblock(context, &entry.keyblock, out_key);
#elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) /* MIT */
ret = krb5_copy_keyblock(context, &entry.key, out_key);
#else
#error UNKNOWN_KRB5_KEYTAB_ENTRY_FORMAT
#endif
if (ret) {
DEBUG(0,("get_key_from_keytab: failed to copy key: %s\n", error_message(ret)));
goto out;
}
smb_krb5_kt_free_entry(context, &entry);
out:
krb5_kt_close(context, keytab);
return ret;
}
static bool ads_dedicated_keytab_verify_ticket(krb5_context context,
krb5_auth_context auth_context,
const DATA_BLOB *ticket,
krb5_ticket **pp_tkt,
krb5_keyblock **keyblock,
krb5_error_code *perr)
{
krb5_error_code ret = 0;
bool auth_ok = false;
krb5_keytab keytab = NULL;
krb5_keytab_entry kt_entry;
krb5_ticket *dec_ticket = NULL;
krb5_data packet;
krb5_kvno kvno = 0;
krb5_enctype enctype;
*pp_tkt = NULL;
*keyblock = NULL;
*perr = 0;
ZERO_STRUCT(kt_entry);
ret = smb_krb5_open_keytab(context, lp_dedicated_keytab_file(), true,
&keytab);
if (ret) {
DEBUG(1, ("smb_krb5_open_keytab failed (%s)\n",
error_message(ret)));
goto out;
}
packet.length = ticket->length;
packet.data = (char *)ticket->data;
ret = krb5_rd_req(context, &auth_context, &packet, NULL, keytab,
NULL, &dec_ticket);
if (ret) {
DEBUG(0, ("krb5_rd_req failed (%s)\n", error_message(ret)));
goto out;
}
#ifdef HAVE_ETYPE_IN_ENCRYPTEDDATA /* Heimdal */
enctype = dec_ticket->ticket.key.keytype;
#else /* MIT */
enctype = dec_ticket->enc_part.enctype;
kvno = dec_ticket->enc_part.kvno;
#endif
/* Get the key for checking the pac signature */
ret = krb5_kt_get_entry(context, keytab, dec_ticket->server,
kvno, enctype, &kt_entry);
if (ret) {
DEBUG(0, ("krb5_kt_get_entry failed (%s)\n",
error_message(ret)));
goto out;
}
ret = krb5_copy_keyblock(context, KRB5_KT_KEY(&kt_entry), keyblock);
smb_krb5_kt_free_entry(context, &kt_entry);
if (ret) {
DEBUG(0, ("failed to copy key: %s\n",
error_message(ret)));
goto out;
}
auth_ok = true;
*pp_tkt = dec_ticket;
dec_ticket = NULL;
out:
if (dec_ticket)
krb5_free_ticket(context, dec_ticket);
if (keytab)
krb5_kt_close(context, keytab);
*perr = ret;
return auth_ok;
}