From ed2a1f18d8d57e8d11945d0f9da53165c7f519bb Mon Sep 17 00:00:00 2001 From: Garming Sam Date: Wed, 7 Sep 2016 12:18:29 +1200 Subject: [PATCH 1/2] s4-auth: Don't check for NULL saltPrincipal if it doesn't need it This check causes 4.1 domains to be unable to change their DNS backend correctly as they do not have the saltPrincipal value stored. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10882 Signed-off-by: Garming Sam Reviewed-by: Andrew Bartlett (cherry picked from commit b02da114980d46e9e251a5d3dfbf549ef348548a) --- source4/auth/kerberos/srv_keytab.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c index 6e02b81..6f0073c 100644 --- a/source4/auth/kerberos/srv_keytab.c +++ b/source4/auth/kerberos/srv_keytab.c @@ -218,12 +218,6 @@ krb5_error_code smb_krb5_update_keytab(TALLOC_CTX *parent_ctx, return ENOENT; } - if (saltPrincipal == NULL) { - *perror_string = talloc_strdup(parent_ctx, - "No saltPrincipal provided"); - return EINVAL; - } - ret = krb5_kt_resolve(context, keytab_name, &keytab); if (ret) { *perror_string = smb_get_krb5_error_message(context, @@ -283,6 +277,12 @@ krb5_error_code smb_krb5_update_keytab(TALLOC_CTX *parent_ctx, /* Create a new keytab. If during the cleanout we found * entires for kvno -1, then don't try and duplicate them. * Otherwise, add kvno, and kvno -1 */ + if (saltPrincipal == NULL) { + *perror_string = talloc_strdup(parent_ctx, + "No saltPrincipal provided"); + ret = EINVAL; + goto done; + } ret = create_keytab(tmp_ctx, samAccountName, upper_realm, saltPrincipal, -- 1.9.1 From 67fd9762ee39a08306ce69d2c84f0ba0f5041f91 Mon Sep 17 00:00:00 2001 From: Garming Sam Date: Thu, 15 Sep 2016 16:04:12 +1200 Subject: [PATCH 2/2] doc: Add doxygen for functions in srv_keytab.c Signed-off-by: Garming Sam Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=10882 (cherry picked from commit 683fcad3ca1617a07e9ade82ec7e44ac512ab415) --- source4/auth/kerberos/srv_keytab.c | 47 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c index 6f0073c..d08721b 100644 --- a/source4/auth/kerberos/srv_keytab.c +++ b/source4/auth/kerberos/srv_keytab.c @@ -20,6 +20,12 @@ along with this program. If not, see . */ +/** + * @file srv_keytab.c + * + * @brief Kerberos keytab utility functions + * + */ #include "includes.h" #include "system/kerberos.h" @@ -189,6 +195,31 @@ done: return ret; } +/** + * @brief Update a Kerberos keytab and removes any obsolete keytab entries. + * + * If the keytab does not exist, this function will create one. + * + * @param[in] parent_ctx Talloc memory context + * @param[in] context Kerberos context + * @param[in] keytab_name Keytab to open + * @param[in] samAccountName User account to update + * @param[in] realm Kerberos realm + * @param[in] SPNs Service principal names to update + * @param[in] num_SPNs Length of SPNs + * @param[in] saltPrincipal Salt used for AES encryption. + * Required, unless delete_all_kvno is set. + * @param[in] old_secret Old password + * @param[in] new_secret New password + * @param[in] kvno Current key version number + * @param[in] supp_enctypes msDS-SupportedEncryptionTypes bit-field + * @param[in] delete_all_kvno Removes all obsolete entries, without + * recreating the keytab. + * @param[out] _keytab If supplied, returns the keytab + * @param[out] perror_string Error string on failure + * + * @return 0 on success, errno on failure + */ krb5_error_code smb_krb5_update_keytab(TALLOC_CTX *parent_ctx, krb5_context context, const char *keytab_name, @@ -312,6 +343,22 @@ done: return ret; } +/** + * @brief Wrapper around smb_krb5_update_keytab() for creating an in-memory keytab + * + * @param[in] parent_ctx Talloc memory context + * @param[in] context Kerberos context + * @param[in] new_secret New password + * @param[in] samAccountName User account to update + * @param[in] realm Kerberos realm + * @param[in] salt_principal Salt used for AES encryption. + * Required, unless delete_all_kvno is set. + * @param[in] kvno Current key version number + * @param[out] keytab If supplied, returns the keytab + * @param[out] keytab_name Returns the created keytab name + * + * @return 0 on success, errno on failure + */ krb5_error_code smb_krb5_create_memory_keytab(TALLOC_CTX *parent_ctx, krb5_context context, const char *new_secret, -- 1.9.1