The branch, master has been updated via 8c94bbba270 testprogs/blackbox: add 'net ads keytab delete' tests to test_net_ads.sh via 797b38f5f9c testprogs/blackbox: fix prinicple => principal in test_net_ads.sh via dd0984c7191 testprogs/blackbox: let test_net_ads.sh consistently use the tmp WORKDIR via 17779a68339 s3:util: add 'net ads keytab delete' via 3dd26cb4d0c s3:libads: add ads_keytab_delete_entry() via 956c6562eba lib/krb5_wrap: add explicit keep_old_kvno/enctype_only args to smb_krb5_kt_seek_and_delete_old_entries() via 3881a440eef s3:libads: ads_keytab_flush() doesn't need a valid kvno via 173b6f6e60a lib/krb5_wrap: document the enctype argument of smb_krb5_kt_seek_and_delete_old_entries() via 7958e18b8ab lib/krb5_wrap: remove unused keep_old_entries argument from smb_krb5_kt_seek_and_delete_old_entries() via b7ea69bdff3 lib/krb5_wrap: remove unused keep_old_entries argument from smb_krb5_kt_add_entry() via 39cf93c79ef bootstrap: Update to openSUSE 15.4 from 6f1a9ef2072 lib:replace: Require bool from C99
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 8c94bbba2704a07c7f13f11496c4a3a93c4fda11 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Oct 27 14:32:27 2022 +0200 testprogs/blackbox: add 'net ads keytab delete' tests to test_net_ads.sh Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Thu Oct 27 22:14:53 UTC 2022 on sn-devel-184 commit 797b38f5f9cebeb6920fb78697e8c058a1554666 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Oct 27 14:31:42 2022 +0200 testprogs/blackbox: fix prinicple => principal in test_net_ads.sh Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit dd0984c71919e3119dceeee35f5b7e0bd6482456 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Oct 27 14:30:48 2022 +0200 testprogs/blackbox: let test_net_ads.sh consistently use the tmp WORKDIR Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 17779a68339162546d5a4125f092984034a2f943 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Oct 26 11:36:44 2022 +0200 s3:util: add 'net ads keytab delete' Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 3dd26cb4d0cf9742f3284a334b38ea3d0b6b653f Author: Stefan Metzmacher <me...@samba.org> Date: Wed Oct 26 11:36:01 2022 +0200 s3:libads: add ads_keytab_delete_entry() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 956c6562ebaaec6f41d5b9e86af7ffe377ab00ab Author: Stefan Metzmacher <me...@samba.org> Date: Wed Oct 26 11:03:34 2022 +0200 lib/krb5_wrap: add explicit keep_old_kvno/enctype_only args to smb_krb5_kt_seek_and_delete_old_entries() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 3881a440eefa1e0a3a4be2f0e9ae9c2ecd65b267 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Oct 26 11:02:21 2022 +0200 s3:libads: ads_keytab_flush() doesn't need a valid kvno Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 173b6f6e60a3d0ea3298f31ca7f37104d10f47bb Author: Stefan Metzmacher <me...@samba.org> Date: Wed Oct 26 10:51:09 2022 +0200 lib/krb5_wrap: document the enctype argument of smb_krb5_kt_seek_and_delete_old_entries() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 7958e18b8abada5fa33d2f189166d524fb332050 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Oct 26 10:34:47 2022 +0200 lib/krb5_wrap: remove unused keep_old_entries argument from smb_krb5_kt_seek_and_delete_old_entries() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit b7ea69bdff3b58e3a0a15de26cd317d0e959df00 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Oct 26 10:34:47 2022 +0200 lib/krb5_wrap: remove unused keep_old_entries argument from smb_krb5_kt_add_entry() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 39cf93c79ef17eac4196e1de6e825955f7fbc8d8 Author: Samuel Cabrero <scabr...@samba.org> Date: Thu Oct 27 09:05:46 2022 +0200 bootstrap: Update to openSUSE 15.4 Signed-off-by: Samuel Cabrero <scabr...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: .gitlab-ci-main.yml | 10 +- bootstrap/.gitlab-ci.yml | 2 +- bootstrap/config.py | 10 +- bootstrap/generated-dists/Vagrantfile | 10 +- .../{opensuse153 => opensuse154}/Dockerfile | 2 +- .../{opensuse153 => opensuse154}/bootstrap.sh | 4 +- .../{opensuse153 => opensuse154}/locale.sh | 0 .../{opensuse153 => opensuse154}/packages.yml | 4 +- bootstrap/sha1sum.txt | 2 +- lib/krb5_wrap/krb5_samba.c | 46 +++--- lib/krb5_wrap/krb5_samba.h | 8 +- source3/libads/ads_proto.h | 1 + source3/libads/kerberos_keytab.c | 166 ++++++++++++++++++--- source3/utils/net_ads.c | 50 +++++++ source4/libnet/libnet_export_keytab.c | 3 +- testprogs/blackbox/test_net_ads.sh | 72 +++++++-- 16 files changed, 316 insertions(+), 74 deletions(-) rename bootstrap/generated-dists/{opensuse153 => opensuse154}/Dockerfile (92%) rename bootstrap/generated-dists/{opensuse153 => opensuse154}/bootstrap.sh (98%) rename bootstrap/generated-dists/{opensuse153 => opensuse154}/locale.sh (100%) rename bootstrap/generated-dists/{opensuse153 => opensuse154}/packages.yml (96%) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index c3174f5f1b5..314d5210ca6 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -47,7 +47,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: 1e06877f1afbb3dbd4283e00310d63216a274333 + SAMBA_CI_CONTAINER_TAG: afb5d32dfeebf0f100bdf9073f0c802d051ec15e # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. @@ -61,7 +61,7 @@ variables: SAMBA_CI_CONTAINER_IMAGE_ubuntu1804: ubuntu1804 SAMBA_CI_CONTAINER_IMAGE_ubuntu2004: ubuntu2004 SAMBA_CI_CONTAINER_IMAGE_debian11: debian11 - SAMBA_CI_CONTAINER_IMAGE_opensuse153: opensuse153 + SAMBA_CI_CONTAINER_IMAGE_opensuse154: opensuse154 SAMBA_CI_CONTAINER_IMAGE_fedora36: fedora36 SAMBA_CI_CONTAINER_IMAGE_f36mit120: f36mit120 SAMBA_CI_CONTAINER_IMAGE_centos7: centos7 @@ -547,7 +547,7 @@ pages: coverity: extends: .shared_runner_build_image variables: - SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_opensuse153} + SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_opensuse154} stage: build script: - wget https://scan.coverity.com/download/linux64 --post-data "token=$COVERITY_SCAN_TOKEN&project=$COVERITY_SCAN_PROJECT_NAME" -O /tmp/coverity_tool.tgz @@ -629,10 +629,10 @@ debian11-samba-o3: variables: SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_debian11} -opensuse153-samba-o3: +opensuse154-samba-o3: extends: .samba-o3-template variables: - SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_opensuse153} + SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_opensuse154} centos7-samba-o3: extends: .samba-o3-template diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml index 626e0103410..a9777348334 100644 --- a/bootstrap/.gitlab-ci.yml +++ b/bootstrap/.gitlab-ci.yml @@ -114,5 +114,5 @@ centos7: # We install a compat-gnutls34 package for GnuTLS >= 3.4.7 PKG_CONFIG_PATH: /usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig -opensuse153: +opensuse154: extends: .build_image_template diff --git a/bootstrap/config.py b/bootstrap/config.py index bf2ce5207bb..9546db1fb28 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -517,9 +517,9 @@ RPM_DISTS = { 'libtracker-sparql-2.0-dev': '', # only tracker 3.x is available } }, - 'opensuse153': { - 'docker_image': 'opensuse/leap:15.3', - 'vagrant_box': 'opensuse/openSUSE-15.3-x86_64', + 'opensuse154': { + 'docker_image': 'opensuse/leap:15.4', + 'vagrant_box': 'opensuse/openSUSE-15.4-x86_64', 'bootstrap': ZYPPER_BOOTSTRAP, 'replace': { '@development-tools': '', @@ -531,7 +531,7 @@ RPM_DISTS = { 'jansson-devel': 'libjansson-devel', 'keyutils-libs-devel': 'keyutils-devel', 'krb5-workstation': 'krb5-client', - 'python3-libsemanage': 'python2-semanage', + 'python3-libsemanage': 'python3-semanage', 'openldap-devel': 'openldap2-devel', 'perl-Archive-Tar': 'perl-Archive-Tar-Wrapper', 'perl-JSON-Parse': 'perl-JSON-XS', @@ -546,8 +546,8 @@ RPM_DISTS = { 'glusterfs-api-devel': '', 'libtasn1-tools': '', # asn1Parser is part of libtasn1 'mold': '', - 'ShellCheck': '', 'shfmt': '', + 'yum-utils': '', } } } diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile index 9b1b3f154d7..28f8f89b7d9 100644 --- a/bootstrap/generated-dists/Vagrantfile +++ b/bootstrap/generated-dists/Vagrantfile @@ -45,11 +45,11 @@ Vagrant.configure("2") do |config| v.vm.provision :shell, path: "fedora36/locale.sh" end - config.vm.define "opensuse153" do |v| - v.vm.box = "opensuse/openSUSE-15.3-x86_64" - v.vm.hostname = "opensuse153" - v.vm.provision :shell, path: "opensuse153/bootstrap.sh" - v.vm.provision :shell, path: "opensuse153/locale.sh" + config.vm.define "opensuse154" do |v| + v.vm.box = "opensuse/openSUSE-15.4-x86_64" + v.vm.hostname = "opensuse154" + v.vm.provision :shell, path: "opensuse154/bootstrap.sh" + v.vm.provision :shell, path: "opensuse154/locale.sh" end config.vm.define "ubuntu1804" do |v| diff --git a/bootstrap/generated-dists/opensuse153/Dockerfile b/bootstrap/generated-dists/opensuse154/Dockerfile similarity index 92% rename from bootstrap/generated-dists/opensuse153/Dockerfile rename to bootstrap/generated-dists/opensuse154/Dockerfile index f252e8b2877..a6bdd6cb328 100644 --- a/bootstrap/generated-dists/opensuse153/Dockerfile +++ b/bootstrap/generated-dists/opensuse154/Dockerfile @@ -3,7 +3,7 @@ # See also bootstrap/config.py # -FROM opensuse/leap:15.3 +FROM opensuse/leap:15.4 # pass in with --build-arg while build ARG SHA1SUM diff --git a/bootstrap/generated-dists/opensuse153/bootstrap.sh b/bootstrap/generated-dists/opensuse154/bootstrap.sh similarity index 98% rename from bootstrap/generated-dists/opensuse153/bootstrap.sh rename to bootstrap/generated-dists/opensuse154/bootstrap.sh index fb155f18312..33f46c41284 100755 --- a/bootstrap/generated-dists/opensuse153/bootstrap.sh +++ b/bootstrap/generated-dists/opensuse154/bootstrap.sh @@ -12,6 +12,7 @@ zypper --non-interactive update zypper --non-interactive install \ --no-recommends \ system-user-nobody \ + ShellCheck \ acl \ attr \ autoconf \ @@ -81,7 +82,6 @@ zypper --non-interactive install \ popt-devel \ procps \ psmisc \ - python2-semanage \ python3 \ python3-Markdown \ python3-cryptography \ @@ -92,6 +92,7 @@ zypper --non-interactive install \ python3-pyasn1 \ python3-python-dateutil \ python3-requests \ + python3-semanage \ python3-setproctitle \ readline-devel \ rng-tools \ @@ -108,7 +109,6 @@ zypper --non-interactive install \ which \ xfsprogs-devel \ xz \ - yum-utils \ zlib-devel zypper --non-interactive clean diff --git a/bootstrap/generated-dists/opensuse153/locale.sh b/bootstrap/generated-dists/opensuse154/locale.sh similarity index 100% rename from bootstrap/generated-dists/opensuse153/locale.sh rename to bootstrap/generated-dists/opensuse154/locale.sh diff --git a/bootstrap/generated-dists/opensuse153/packages.yml b/bootstrap/generated-dists/opensuse154/packages.yml similarity index 96% rename from bootstrap/generated-dists/opensuse153/packages.yml rename to bootstrap/generated-dists/opensuse154/packages.yml index d555584c630..ddb2d37c4b7 100644 --- a/bootstrap/generated-dists/opensuse153/packages.yml +++ b/bootstrap/generated-dists/opensuse154/packages.yml @@ -1,5 +1,6 @@ --- packages: + - ShellCheck - acl - attr - autoconf @@ -69,7 +70,6 @@ packages: - popt-devel - procps - psmisc - - python2-semanage - python3 - python3-Markdown - python3-cryptography @@ -80,6 +80,7 @@ packages: - python3-pyasn1 - python3-python-dateutil - python3-requests + - python3-semanage - python3-setproctitle - readline-devel - rng-tools @@ -96,5 +97,4 @@ packages: - which - xfsprogs-devel - xz - - yum-utils - zlib-devel \ No newline at end of file diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index 0830eea5f84..b87fad087bb 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -1e06877f1afbb3dbd4283e00310d63216a274333 +afb5d32dfeebf0f100bdf9073f0c802d051ec15e diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index 4afec815b0d..6edb2b84d75 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -1630,28 +1630,33 @@ krb5_error_code smb_krb5_kt_get_name(TALLOC_CTX *mem_ctx, * * @param[in] keytab The keytab to operate on. * + * @param[in] keep_old_kvno Keep the entries with the previous kvno. + * * @param[in] kvno The kvnco to use. * + * @param[in] enctype_only Only evaluate the enctype argument if true + * + * @param[in] enctype Only search for entries with the specified enctype + * * @param[in] princ_s The principal as a string to search for. * * @param[in] princ The principal as a krb5_principal to search for. * * @param[in] flush Whether to flush the complete keytab. * - * @param[in] keep_old_entries Keep the entry with the previous kvno. - * * @retval 0 on Sucess * * @return An appropriate KRB5 error code. */ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context, krb5_keytab keytab, + bool keep_old_kvno, krb5_kvno kvno, + bool enctype_only, krb5_enctype enctype, const char *princ_s, krb5_principal princ, - bool flush, - bool keep_old_entries) + bool flush) { krb5_error_code ret; krb5_kt_cursor cursor; @@ -1660,6 +1665,16 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context, krb5_kvno old_kvno = kvno - 1; TALLOC_CTX *tmp_ctx; + if (flush) { + SMB_ASSERT(!keep_old_kvno); + SMB_ASSERT(!enctype_only); + SMB_ASSERT(princ_s == NULL); + SMB_ASSERT(princ == NULL); + } else { + SMB_ASSERT(princ_s != NULL); + SMB_ASSERT(princ != NULL); + } + ZERO_STRUCT(cursor); ZERO_STRUCT(kt_entry); @@ -1680,7 +1695,7 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context, krb5_enctype kt_entry_enctype = smb_krb5_kt_get_enctype_from_entry(&kt_entry); - if (!flush && (princ_s != NULL)) { + if (princ_s != NULL) { ret = smb_krb5_unparse_name(tmp_ctx, context, kt_entry.principal, &ktprinc); @@ -1734,21 +1749,14 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context, * the compare accordingly. */ - if (!flush && ((kt_entry.vno & 0xff) == (old_kvno & 0xff))) { + if (keep_old_kvno && ((kt_entry.vno & 0xff) == (old_kvno & 0xff))) { DEBUG(5, (__location__ ": Saving previous (kvno %d) " "entry for principal: %s.\n", old_kvno, princ_s)); continue; } - if (keep_old_entries) { - DEBUG(5, (__location__ ": Saving old (kvno %d) " - "entry for principal: %s.\n", - kvno, princ_s)); - continue; - } - - if (!flush && + if (enctype_only && ((kt_entry.vno & 0xff) == (kvno & 0xff)) && (kt_entry_enctype != enctype)) { @@ -1829,8 +1837,6 @@ out: * this is only set to false for encryption types * which do not support salting like RC4. * - * @param[in] keep_old_entries Whether to keep or delete old keytab entries. - * * @retval 0 on Success * * @return A corresponding KRB5 error code. @@ -1844,8 +1850,7 @@ krb5_error_code smb_krb5_kt_add_entry(krb5_context context, const char *salt_principal, krb5_enctype enctype, krb5_data *password, - bool no_salt, - bool keep_old_entries) + bool no_salt) { krb5_error_code ret; krb5_keytab_entry kt_entry; @@ -1864,12 +1869,13 @@ krb5_error_code smb_krb5_kt_add_entry(krb5_context context, /* Seek and delete old keytab entries */ ret = smb_krb5_kt_seek_and_delete_old_entries(context, keytab, + true, /* keep_old_kvno */ kvno, + true, /* enctype_only */ enctype, princ_s, princ, - false, - keep_old_entries); + false); /* flush */ if (ret) { goto out; } diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h index d082ed43f03..93a010323bf 100644 --- a/lib/krb5_wrap/krb5_samba.h +++ b/lib/krb5_wrap/krb5_samba.h @@ -213,12 +213,13 @@ krb5_error_code smb_krb5_kt_get_name(TALLOC_CTX *mem_ctx, const char **keytab_name); krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context, krb5_keytab keytab, + bool keep_old_kvno, krb5_kvno kvno, + bool enctype_only, krb5_enctype enctype, const char *princ_s, krb5_principal princ, - bool flush, - bool keep_old_entries); + bool flush); krb5_error_code smb_krb5_kt_add_entry(krb5_context context, krb5_keytab keytab, krb5_kvno kvno, @@ -226,8 +227,7 @@ krb5_error_code smb_krb5_kt_add_entry(krb5_context context, const char *salt_principal, krb5_enctype enctype, krb5_data *password, - bool no_salt, - bool keep_old_entries); + bool no_salt); krb5_error_code smb_krb5_get_credentials(krb5_context context, krb5_ccache ccache, diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h index ce04ac2a252..76396aabc34 100644 --- a/source3/libads/ads_proto.h +++ b/source3/libads/ads_proto.h @@ -62,6 +62,7 @@ void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descripto int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads); +int ads_keytab_delete_entry(ADS_STRUCT *ads, const char *srvPrinc); int ads_keytab_flush(ADS_STRUCT *ads); int ads_keytab_create_default(ADS_STRUCT *ads); int ads_keytab_list(const char *keytab_name); diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c index b7e1846bd9f..347879c54a5 100644 --- a/source3/libads/kerberos_keytab.c +++ b/source3/libads/kerberos_keytab.c @@ -306,8 +306,7 @@ static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx, salt_princ_s, enctypes[i], password, - false, - false); + false); /* no_salt */ if (ret) { DBG_WARNING("Failed to add entry to keytab\n"); goto out; @@ -322,8 +321,7 @@ static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx, salt_princ_s, enctypes[i], password, - false, - false); + false); /* no_salt */ if (ret) { DBG_WARNING("Failed to add short entry to keytab\n"); goto out; @@ -460,22 +458,26 @@ out: } /********************************************************************** - Flushes all entries from the system keytab. + Delete a single service principal, i.e. 'host' from the system keytab ***********************************************************************/ -int ads_keytab_flush(ADS_STRUCT *ads) +int ads_keytab_delete_entry(ADS_STRUCT *ads, const char *srvPrinc) { + TALLOC_CTX *frame = talloc_stackframe(); krb5_error_code ret = 0; krb5_context context = NULL; krb5_keytab keytab = NULL; - krb5_kvno kvno; - ADS_STATUS aderr; + char *princ_s = NULL; + krb5_principal princ = NULL; + char *short_princ_s = NULL; + krb5_principal short_princ = NULL; + bool ok; ret = smb_krb5_init_context_common(&context); if (ret) { DBG_ERR("kerberos init context failed (%s)\n", error_message(ret)); - return ret; + goto out; } ret = ads_keytab_open(context, &keytab); @@ -483,23 +485,153 @@ int ads_keytab_flush(ADS_STRUCT *ads) goto out; } - kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name()); - if (kvno == -1) { - /* -1 indicates a failure */ - DEBUG(1, (__location__ ": Error determining the kvno.\n")); - ret = -1; + /* Construct our principal */ + if (strchr_m(srvPrinc, '@')) { + /* It's a fully-named principal. */ + princ_s = talloc_asprintf(frame, "%s", srvPrinc); + if (!princ_s) { + ret = -1; + goto out; + } + } else if (srvPrinc[strlen(srvPrinc)-1] == '$') { + /* It's the machine account, as used by smbclient clients. */ + princ_s = talloc_asprintf(frame, "%s@%s", + srvPrinc, lp_realm()); + if (!princ_s) { + ret = -1; + goto out; + } + } else { + /* + * It's a normal service principal. + */ + char *my_fqdn = NULL; + char *tmp = NULL; + + /* + * SPN should have '/' otherwise we + * need to fallback and find our dnshostname + */ + tmp = strchr_m(srvPrinc, '/'); + if (tmp == NULL) { + my_fqdn = ads_get_dnshostname(ads, frame, lp_netbios_name()); + if (!my_fqdn) { + DBG_ERR("unable to determine machine account's dns name in " + "AD!\n"); + ret = -1; + goto out; + } + } + + ok = service_or_spn_to_kerberos_princ(frame, + srvPrinc, + my_fqdn, + &princ_s, + &short_princ_s); + if (!ok) { + ret = -1; + goto out; + } + } + + ret = smb_krb5_parse_name(context, princ_s, &princ); + if (ret) { -- Samba Shared Repository