The branch, master has been updated
via 8c94bbba270 testprogs/blackbox: add 'net ads keytab delete' tests
to test_net_ads.sh
via 797b38f5f9c testprogs/blackbox: fix prinicple => principal in
test_net_ads.sh
via dd0984c7191 testprogs/blackbox: let test_net_ads.sh consistently
use the tmp WORKDIR
via 17779a68339 s3:util: add 'net ads keytab delete'
via 3dd26cb4d0c s3:libads: add ads_keytab_delete_entry()
via 956c6562eba lib/krb5_wrap: add explicit keep_old_kvno/enctype_only
args to smb_krb5_kt_seek_and_delete_old_entries()
via 3881a440eef s3:libads: ads_keytab_flush() doesn't need a valid kvno
via 173b6f6e60a lib/krb5_wrap: document the enctype argument of
smb_krb5_kt_seek_and_delete_old_entries()
via 7958e18b8ab lib/krb5_wrap: remove unused keep_old_entries argument
from smb_krb5_kt_seek_and_delete_old_entries()
via b7ea69bdff3 lib/krb5_wrap: remove unused keep_old_entries argument
from smb_krb5_kt_add_entry()
via 39cf93c79ef bootstrap: Update to openSUSE 15.4
from 6f1a9ef2072 lib:replace: Require bool from C99
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8c94bbba2704a07c7f13f11496c4a3a93c4fda11
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Oct 27 14:32:27 2022 +0200
testprogs/blackbox: add 'net ads keytab delete' tests to test_net_ads.sh
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Thu Oct 27 22:14:53 UTC 2022 on sn-devel-184
commit 797b38f5f9cebeb6920fb78697e8c058a1554666
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Oct 27 14:31:42 2022 +0200
testprogs/blackbox: fix prinicple => principal in test_net_ads.sh
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit dd0984c71919e3119dceeee35f5b7e0bd6482456
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Oct 27 14:30:48 2022 +0200
testprogs/blackbox: let test_net_ads.sh consistently use the tmp WORKDIR
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 17779a68339162546d5a4125f092984034a2f943
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Oct 26 11:36:44 2022 +0200
s3:util: add 'net ads keytab delete'
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 3dd26cb4d0cf9742f3284a334b38ea3d0b6b653f
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Oct 26 11:36:01 2022 +0200
s3:libads: add ads_keytab_delete_entry()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 956c6562ebaaec6f41d5b9e86af7ffe377ab00ab
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Oct 26 11:03:34 2022 +0200
lib/krb5_wrap: add explicit keep_old_kvno/enctype_only args to
smb_krb5_kt_seek_and_delete_old_entries()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 3881a440eefa1e0a3a4be2f0e9ae9c2ecd65b267
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Oct 26 11:02:21 2022 +0200
s3:libads: ads_keytab_flush() doesn't need a valid kvno
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 173b6f6e60a3d0ea3298f31ca7f37104d10f47bb
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Oct 26 10:51:09 2022 +0200
lib/krb5_wrap: document the enctype argument of
smb_krb5_kt_seek_and_delete_old_entries()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 7958e18b8abada5fa33d2f189166d524fb332050
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Oct 26 10:34:47 2022 +0200
lib/krb5_wrap: remove unused keep_old_entries argument from
smb_krb5_kt_seek_and_delete_old_entries()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit b7ea69bdff3b58e3a0a15de26cd317d0e959df00
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Oct 26 10:34:47 2022 +0200
lib/krb5_wrap: remove unused keep_old_entries argument from
smb_krb5_kt_add_entry()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 39cf93c79ef17eac4196e1de6e825955f7fbc8d8
Author: Samuel Cabrero <scabr...@samba.org>
Date: Thu Oct 27 09:05:46 2022 +0200
bootstrap: Update to openSUSE 15.4
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci-main.yml | 10 +-
bootstrap/.gitlab-ci.yml | 2 +-
bootstrap/config.py | 10 +-
bootstrap/generated-dists/Vagrantfile | 10 +-
.../{opensuse153 => opensuse154}/Dockerfile | 2 +-
.../{opensuse153 => opensuse154}/bootstrap.sh | 4 +-
.../{opensuse153 => opensuse154}/locale.sh | 0
.../{opensuse153 => opensuse154}/packages.yml | 4 +-
bootstrap/sha1sum.txt | 2 +-
lib/krb5_wrap/krb5_samba.c | 46 +++---
lib/krb5_wrap/krb5_samba.h | 8 +-
source3/libads/ads_proto.h | 1 +
source3/libads/kerberos_keytab.c | 166 ++++++++++++++++++---
source3/utils/net_ads.c | 50 +++++++
source4/libnet/libnet_export_keytab.c | 3 +-
testprogs/blackbox/test_net_ads.sh | 72 +++++++--
16 files changed, 316 insertions(+), 74 deletions(-)
rename bootstrap/generated-dists/{opensuse153 => opensuse154}/Dockerfile (92%)
rename bootstrap/generated-dists/{opensuse153 => opensuse154}/bootstrap.sh
(98%)
rename bootstrap/generated-dists/{opensuse153 => opensuse154}/locale.sh (100%)
rename bootstrap/generated-dists/{opensuse153 => opensuse154}/packages.yml
(96%)
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index c3174f5f1b5..314d5210ca6 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -47,7 +47,7 @@ variables:
# Set this to the contents of bootstrap/sha1sum.txt
# which is generated by bootstrap/template.py --render
#
- SAMBA_CI_CONTAINER_TAG: 1e06877f1afbb3dbd4283e00310d63216a274333
+ SAMBA_CI_CONTAINER_TAG: afb5d32dfeebf0f100bdf9073f0c802d051ec15e
#
# We use the ubuntu1804 image as default as
# it matches what we have on sn-devel-184.
@@ -61,7 +61,7 @@ variables:
SAMBA_CI_CONTAINER_IMAGE_ubuntu1804: ubuntu1804
SAMBA_CI_CONTAINER_IMAGE_ubuntu2004: ubuntu2004
SAMBA_CI_CONTAINER_IMAGE_debian11: debian11
- SAMBA_CI_CONTAINER_IMAGE_opensuse153: opensuse153
+ SAMBA_CI_CONTAINER_IMAGE_opensuse154: opensuse154
SAMBA_CI_CONTAINER_IMAGE_fedora36: fedora36
SAMBA_CI_CONTAINER_IMAGE_f36mit120: f36mit120
SAMBA_CI_CONTAINER_IMAGE_centos7: centos7
@@ -547,7 +547,7 @@ pages:
coverity:
extends: .shared_runner_build_image
variables:
- SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_opensuse153}
+ SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_opensuse154}
stage: build
script:
- wget https://scan.coverity.com/download/linux64 --post-data
"token=$COVERITY_SCAN_TOKEN&project=$COVERITY_SCAN_PROJECT_NAME" -O
/tmp/coverity_tool.tgz
@@ -629,10 +629,10 @@ debian11-samba-o3:
variables:
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_debian11}
-opensuse153-samba-o3:
+opensuse154-samba-o3:
extends: .samba-o3-template
variables:
- SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_opensuse153}
+ SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_opensuse154}
centos7-samba-o3:
extends: .samba-o3-template
diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml
index 626e0103410..a9777348334 100644
--- a/bootstrap/.gitlab-ci.yml
+++ b/bootstrap/.gitlab-ci.yml
@@ -114,5 +114,5 @@ centos7:
# We install a compat-gnutls34 package for GnuTLS >= 3.4.7
PKG_CONFIG_PATH:
/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig
-opensuse153:
+opensuse154:
extends: .build_image_template
diff --git a/bootstrap/config.py b/bootstrap/config.py
index bf2ce5207bb..9546db1fb28 100644
--- a/bootstrap/config.py
+++ b/bootstrap/config.py
@@ -517,9 +517,9 @@ RPM_DISTS = {
'libtracker-sparql-2.0-dev': '', # only tracker 3.x is available
}
},
- 'opensuse153': {
- 'docker_image': 'opensuse/leap:15.3',
- 'vagrant_box': 'opensuse/openSUSE-15.3-x86_64',
+ 'opensuse154': {
+ 'docker_image': 'opensuse/leap:15.4',
+ 'vagrant_box': 'opensuse/openSUSE-15.4-x86_64',
'bootstrap': ZYPPER_BOOTSTRAP,
'replace': {
'@development-tools': '',
@@ -531,7 +531,7 @@ RPM_DISTS = {
'jansson-devel': 'libjansson-devel',
'keyutils-libs-devel': 'keyutils-devel',
'krb5-workstation': 'krb5-client',
- 'python3-libsemanage': 'python2-semanage',
+ 'python3-libsemanage': 'python3-semanage',
'openldap-devel': 'openldap2-devel',
'perl-Archive-Tar': 'perl-Archive-Tar-Wrapper',
'perl-JSON-Parse': 'perl-JSON-XS',
@@ -546,8 +546,8 @@ RPM_DISTS = {
'glusterfs-api-devel': '',
'libtasn1-tools': '', # asn1Parser is part of libtasn1
'mold': '',
- 'ShellCheck': '',
'shfmt': '',
+ 'yum-utils': '',
}
}
}
diff --git a/bootstrap/generated-dists/Vagrantfile
b/bootstrap/generated-dists/Vagrantfile
index 9b1b3f154d7..28f8f89b7d9 100644
--- a/bootstrap/generated-dists/Vagrantfile
+++ b/bootstrap/generated-dists/Vagrantfile
@@ -45,11 +45,11 @@ Vagrant.configure("2") do |config|
v.vm.provision :shell, path: "fedora36/locale.sh"
end
- config.vm.define "opensuse153" do |v|
- v.vm.box = "opensuse/openSUSE-15.3-x86_64"
- v.vm.hostname = "opensuse153"
- v.vm.provision :shell, path: "opensuse153/bootstrap.sh"
- v.vm.provision :shell, path: "opensuse153/locale.sh"
+ config.vm.define "opensuse154" do |v|
+ v.vm.box = "opensuse/openSUSE-15.4-x86_64"
+ v.vm.hostname = "opensuse154"
+ v.vm.provision :shell, path: "opensuse154/bootstrap.sh"
+ v.vm.provision :shell, path: "opensuse154/locale.sh"
end
config.vm.define "ubuntu1804" do |v|
diff --git a/bootstrap/generated-dists/opensuse153/Dockerfile
b/bootstrap/generated-dists/opensuse154/Dockerfile
similarity index 92%
rename from bootstrap/generated-dists/opensuse153/Dockerfile
rename to bootstrap/generated-dists/opensuse154/Dockerfile
index f252e8b2877..a6bdd6cb328 100644
--- a/bootstrap/generated-dists/opensuse153/Dockerfile
+++ b/bootstrap/generated-dists/opensuse154/Dockerfile
@@ -3,7 +3,7 @@
# See also bootstrap/config.py
#
-FROM opensuse/leap:15.3
+FROM opensuse/leap:15.4
# pass in with --build-arg while build
ARG SHA1SUM
diff --git a/bootstrap/generated-dists/opensuse153/bootstrap.sh
b/bootstrap/generated-dists/opensuse154/bootstrap.sh
similarity index 98%
rename from bootstrap/generated-dists/opensuse153/bootstrap.sh
rename to bootstrap/generated-dists/opensuse154/bootstrap.sh
index fb155f18312..33f46c41284 100755
--- a/bootstrap/generated-dists/opensuse153/bootstrap.sh
+++ b/bootstrap/generated-dists/opensuse154/bootstrap.sh
@@ -12,6 +12,7 @@ zypper --non-interactive update
zypper --non-interactive install \
--no-recommends \
system-user-nobody \
+ ShellCheck \
acl \
attr \
autoconf \
@@ -81,7 +82,6 @@ zypper --non-interactive install \
popt-devel \
procps \
psmisc \
- python2-semanage \
python3 \
python3-Markdown \
python3-cryptography \
@@ -92,6 +92,7 @@ zypper --non-interactive install \
python3-pyasn1 \
python3-python-dateutil \
python3-requests \
+ python3-semanage \
python3-setproctitle \
readline-devel \
rng-tools \
@@ -108,7 +109,6 @@ zypper --non-interactive install \
which \
xfsprogs-devel \
xz \
- yum-utils \
zlib-devel
zypper --non-interactive clean
diff --git a/bootstrap/generated-dists/opensuse153/locale.sh
b/bootstrap/generated-dists/opensuse154/locale.sh
similarity index 100%
rename from bootstrap/generated-dists/opensuse153/locale.sh
rename to bootstrap/generated-dists/opensuse154/locale.sh
diff --git a/bootstrap/generated-dists/opensuse153/packages.yml
b/bootstrap/generated-dists/opensuse154/packages.yml
similarity index 96%
rename from bootstrap/generated-dists/opensuse153/packages.yml
rename to bootstrap/generated-dists/opensuse154/packages.yml
index d555584c630..ddb2d37c4b7 100644
--- a/bootstrap/generated-dists/opensuse153/packages.yml
+++ b/bootstrap/generated-dists/opensuse154/packages.yml
@@ -1,5 +1,6 @@
---
packages:
+ - ShellCheck
- acl
- attr
- autoconf
@@ -69,7 +70,6 @@ packages:
- popt-devel
- procps
- psmisc
- - python2-semanage
- python3
- python3-Markdown
- python3-cryptography
@@ -80,6 +80,7 @@ packages:
- python3-pyasn1
- python3-python-dateutil
- python3-requests
+ - python3-semanage
- python3-setproctitle
- readline-devel
- rng-tools
@@ -96,5 +97,4 @@ packages:
- which
- xfsprogs-devel
- xz
- - yum-utils
- zlib-devel
\ No newline at end of file
diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt
index 0830eea5f84..b87fad087bb 100644
--- a/bootstrap/sha1sum.txt
+++ b/bootstrap/sha1sum.txt
@@ -1 +1 @@
-1e06877f1afbb3dbd4283e00310d63216a274333
+afb5d32dfeebf0f100bdf9073f0c802d051ec15e
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 4afec815b0d..6edb2b84d75 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1630,28 +1630,33 @@ krb5_error_code smb_krb5_kt_get_name(TALLOC_CTX
*mem_ctx,
*
* @param[in] keytab The keytab to operate on.
*
+ * @param[in] keep_old_kvno Keep the entries with the previous kvno.
+ *
* @param[in] kvno The kvnco to use.
*
+ * @param[in] enctype_only Only evaluate the enctype argument if true
+ *
+ * @param[in] enctype Only search for entries with the specified enctype
+ *
* @param[in] princ_s The principal as a string to search for.
*
* @param[in] princ The principal as a krb5_principal to search for.
*
* @param[in] flush Whether to flush the complete keytab.
*
- * @param[in] keep_old_entries Keep the entry with the previous kvno.
- *
* @retval 0 on Sucess
*
* @return An appropriate KRB5 error code.
*/
krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
krb5_keytab keytab,
+ bool keep_old_kvno,
krb5_kvno kvno,
+ bool enctype_only,
krb5_enctype enctype,
const char *princ_s,
krb5_principal princ,
- bool flush,
- bool keep_old_entries)
+ bool flush)
{
krb5_error_code ret;
krb5_kt_cursor cursor;
@@ -1660,6 +1665,16 @@ krb5_error_code
smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
krb5_kvno old_kvno = kvno - 1;
TALLOC_CTX *tmp_ctx;
+ if (flush) {
+ SMB_ASSERT(!keep_old_kvno);
+ SMB_ASSERT(!enctype_only);
+ SMB_ASSERT(princ_s == NULL);
+ SMB_ASSERT(princ == NULL);
+ } else {
+ SMB_ASSERT(princ_s != NULL);
+ SMB_ASSERT(princ != NULL);
+ }
+
ZERO_STRUCT(cursor);
ZERO_STRUCT(kt_entry);
@@ -1680,7 +1695,7 @@ krb5_error_code
smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
krb5_enctype kt_entry_enctype =
smb_krb5_kt_get_enctype_from_entry(&kt_entry);
- if (!flush && (princ_s != NULL)) {
+ if (princ_s != NULL) {
ret = smb_krb5_unparse_name(tmp_ctx, context,
kt_entry.principal,
&ktprinc);
@@ -1734,21 +1749,14 @@ krb5_error_code
smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
* the compare accordingly.
*/
- if (!flush && ((kt_entry.vno & 0xff) == (old_kvno & 0xff))) {
+ if (keep_old_kvno && ((kt_entry.vno & 0xff) == (old_kvno &
0xff))) {
DEBUG(5, (__location__ ": Saving previous (kvno %d) "
"entry for principal: %s.\n",
old_kvno, princ_s));
continue;
}
- if (keep_old_entries) {
- DEBUG(5, (__location__ ": Saving old (kvno %d) "
- "entry for principal: %s.\n",
- kvno, princ_s));
- continue;
- }
-
- if (!flush &&
+ if (enctype_only &&
((kt_entry.vno & 0xff) == (kvno & 0xff)) &&
(kt_entry_enctype != enctype))
{
@@ -1829,8 +1837,6 @@ out:
* this is only set to false for encryption types
* which do not support salting like RC4.
*
- * @param[in] keep_old_entries Whether to keep or delete old keytab entries.
- *
* @retval 0 on Success
*
* @return A corresponding KRB5 error code.
@@ -1844,8 +1850,7 @@ krb5_error_code smb_krb5_kt_add_entry(krb5_context
context,
const char *salt_principal,
krb5_enctype enctype,
krb5_data *password,
- bool no_salt,
- bool keep_old_entries)
+ bool no_salt)
{
krb5_error_code ret;
krb5_keytab_entry kt_entry;
@@ -1864,12 +1869,13 @@ krb5_error_code smb_krb5_kt_add_entry(krb5_context
context,
/* Seek and delete old keytab entries */
ret = smb_krb5_kt_seek_and_delete_old_entries(context,
keytab,
+ true, /* keep_old_kvno */
kvno,
+ true, /* enctype_only */
enctype,
princ_s,
princ,
- false,
- keep_old_entries);
+ false); /* flush */
if (ret) {
goto out;
}
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index d082ed43f03..93a010323bf 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -213,12 +213,13 @@ krb5_error_code smb_krb5_kt_get_name(TALLOC_CTX *mem_ctx,
const char **keytab_name);
krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
krb5_keytab keytab,
+ bool keep_old_kvno,
krb5_kvno kvno,
+ bool enctype_only,
krb5_enctype enctype,
const char *princ_s,
krb5_principal princ,
- bool flush,
- bool keep_old_entries);
+ bool flush);
krb5_error_code smb_krb5_kt_add_entry(krb5_context context,
krb5_keytab keytab,
krb5_kvno kvno,
@@ -226,8 +227,7 @@ krb5_error_code smb_krb5_kt_add_entry(krb5_context context,
const char *salt_principal,
krb5_enctype enctype,
krb5_data *password,
- bool no_salt,
- bool keep_old_entries);
+ bool no_salt);
krb5_error_code smb_krb5_get_credentials(krb5_context context,
krb5_ccache ccache,
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index ce04ac2a252..76396aabc34 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -62,6 +62,7 @@ void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct
security_descripto
int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc,
bool update_ads);
+int ads_keytab_delete_entry(ADS_STRUCT *ads, const char *srvPrinc);
int ads_keytab_flush(ADS_STRUCT *ads);
int ads_keytab_create_default(ADS_STRUCT *ads);
int ads_keytab_list(const char *keytab_name);
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index b7e1846bd9f..347879c54a5 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -306,8 +306,7 @@ static int add_kt_entry_etypes(krb5_context context,
TALLOC_CTX *tmpctx,
salt_princ_s,
enctypes[i],
password,
- false,
- false);
+ false); /* no_salt */
if (ret) {
DBG_WARNING("Failed to add entry to keytab\n");
goto out;
@@ -322,8 +321,7 @@ static int add_kt_entry_etypes(krb5_context context,
TALLOC_CTX *tmpctx,
salt_princ_s,
enctypes[i],
password,
- false,
- false);
+ false); /* no_salt */
if (ret) {
DBG_WARNING("Failed to add short entry to
keytab\n");
goto out;
@@ -460,22 +458,26 @@ out:
}
/**********************************************************************
- Flushes all entries from the system keytab.
+ Delete a single service principal, i.e. 'host' from the system keytab
***********************************************************************/
-int ads_keytab_flush(ADS_STRUCT *ads)
+int ads_keytab_delete_entry(ADS_STRUCT *ads, const char *srvPrinc)
{
+ TALLOC_CTX *frame = talloc_stackframe();
krb5_error_code ret = 0;
krb5_context context = NULL;
krb5_keytab keytab = NULL;
- krb5_kvno kvno;
- ADS_STATUS aderr;
+ char *princ_s = NULL;
+ krb5_principal princ = NULL;
+ char *short_princ_s = NULL;
+ krb5_principal short_princ = NULL;
+ bool ok;
ret = smb_krb5_init_context_common(&context);
if (ret) {
DBG_ERR("kerberos init context failed (%s)\n",
error_message(ret));
- return ret;
+ goto out;
}
ret = ads_keytab_open(context, &keytab);
@@ -483,23 +485,153 @@ int ads_keytab_flush(ADS_STRUCT *ads)
goto out;
}
- kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
- if (kvno == -1) {
- /* -1 indicates a failure */
- DEBUG(1, (__location__ ": Error determining the kvno.\n"));
- ret = -1;
+ /* Construct our principal */
+ if (strchr_m(srvPrinc, '@')) {
+ /* It's a fully-named principal. */
+ princ_s = talloc_asprintf(frame, "%s", srvPrinc);
+ if (!princ_s) {
+ ret = -1;
+ goto out;
+ }
+ } else if (srvPrinc[strlen(srvPrinc)-1] == '$') {
+ /* It's the machine account, as used by smbclient clients. */
+ princ_s = talloc_asprintf(frame, "%s@%s",
+ srvPrinc, lp_realm());
+ if (!princ_s) {
+ ret = -1;
+ goto out;
+ }
+ } else {
+ /*
+ * It's a normal service principal.
+ */
+ char *my_fqdn = NULL;
+ char *tmp = NULL;
+
+ /*
+ * SPN should have '/' otherwise we
+ * need to fallback and find our dnshostname
+ */
+ tmp = strchr_m(srvPrinc, '/');
+ if (tmp == NULL) {
+ my_fqdn = ads_get_dnshostname(ads, frame,
lp_netbios_name());
+ if (!my_fqdn) {
+ DBG_ERR("unable to determine machine account's
dns name in "
+ "AD!\n");
+ ret = -1;
+ goto out;
+ }
+ }
+
+ ok = service_or_spn_to_kerberos_princ(frame,
+ srvPrinc,
+ my_fqdn,
+ &princ_s,
+ &short_princ_s);
+ if (!ok) {
+ ret = -1;
+ goto out;
+ }
+ }
+
+ ret = smb_krb5_parse_name(context, princ_s, &princ);
+ if (ret) {
--
Samba Shared Repository
