The branch, master has been updated
via e61f53b656f WHATSNEW: Automatic keytab update after machine
password changes
via 6a97f8e16d8 selftest: Add tests for keytab update in clustered samba
via be29fe50adb selftest: setup clusteredmember with kerberos, change
dependency to "ad_dc"
via c76727b3c77 selftest: Rename nt4_dc_vars -> dcvars in
setup_clusteredmember
via fb0c2774ca7 script: clustered samba: Build samba-ctdb with ad-dc
support
via bf13d9b3ef7 s3:script: clustered samba: Add script updatekeytab.sh
via 1fcaf066f42 ctdb:events: Add 46.update-keytabs.script for
'recovered' event
via e08b2963d98 s3:libads: Call 'sync machine password script' when
machine password is updated
via f819ad25027 s3:utils: Remove from "net ads keytab": "add", "delete"
and "add_update_ads"
via c10c49b3f00 s3:libads: Remove ads_keytab_create_default & friends
via ad6a91ba745 testprogs: Remove alias test from test_net_ads.sh
via abbf926067b testprogs: Remove dnshostname related test from
test_net_ads.sh
via 2304d96db32 testprogs: Use "HOST' instead of 'host' in
test_net_ads.sh
via 18aedcc84c8 testprogs: Remove upn related test from test_net_ads.sh
via d18babd1d70 testprogs: Remove "keytab add", "keytab delete" and
"keytab add_apdate_ads" related tests from test_net_ads.sh
via 90ec8adf1f2 selftest: Add tests for keytab update
via aff928268ad selftest: Add "sync machine password to keytab" to env.
ad_member_idmap_nss
via 253625dabf8 s3:utils: Change net_ads_keytab_create() to call
sync_pw2keytabs()
via eeb79875c6e s3:libnet: Sync keytab during
libnet_join_create_keytab()
via 683f6eec40f s3: Sync machine account password in
secrets_{prepare,finish}_password_change
via 7c65aa8c7bc s3:ads: Remove 'kerberos method' warning for 'net ads
keytab' functions
via 49d09906890 s3:ads: Do not update system keytab from "net ads
changetrustpw"
via da622ccc164 s3:lib: Sync machine password to keytab: helper
functions
via f3ff6871197 s3:libads: Request "msDS-KeyVersionNumber" from
ads_find_machine_acct()
via b007fb89d59 s3:libads: Use the TRACE SUPPORT for keys operations
via 1185b03b275 krb5_wrap: Add TRACE SUPPORT for keys operations
via 27ca58f9bf1 s3:testparm: Add check for "sync machine password to
keytab" to testparm
via 09c30299582 docs:smbdotconf: Add parameter 'sync machine password
script'
via 731a25b5c80 docs:smbdotconf: Add parameter 'sync machine password
to keytab'
via 3de8d294152 s3:lib: Merge library trusts_util into library ads
from 07c0afe91d5 WHATSNEW.txt: document "veto files" and "hide files"
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e61f53b656f074a80ae66dfda776b56b03cc9918
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Mon Feb 12 10:25:06 2024 +0100
WHATSNEW: Automatic keytab update after machine password changes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipen...@samba.org>
Autobuild-Date(master): Fri Jul 26 18:16:15 UTC 2024 on atb-devel-224
commit 6a97f8e16d888ac16069dcccccb81541520f6e5e
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Mon Jul 15 17:07:59 2024 +0200
selftest: Add tests for keytab update in clustered samba
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit be29fe50adb8732d5ddaceffe12a284f7a25f296
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Mon Jul 15 17:07:59 2024 +0200
selftest: setup clusteredmember with kerberos, change dependency to "ad_dc"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit c76727b3c77bece515064c2948e01919501367b7
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Mon Jul 15 17:01:09 2024 +0200
selftest: Rename nt4_dc_vars -> dcvars in setup_clusteredmember
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit fb0c2774ca75d076994452a037e2dd3609383e04
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Fri Jul 12 22:09:43 2024 +0200
script: clustered samba: Build samba-ctdb with ad-dc support
samba-tool requires addc support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit bf13d9b3ef76a0d017fa7d81069f1d9da117de41
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Tue Apr 9 08:39:40 2024 +0200
s3:script: clustered samba: Add script updatekeytab.sh
Admin should use this script in smb.conf parameter 'sync machine
password script' in clustered samba
TODO: onnode will update the keytab on all connected nodes, so the
update will happen on the triggering node twice. This can be improved in
the future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 1fcaf066f42cf01c6978416e99b132fdbb1f55de
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Mon Apr 8 14:47:21 2024 +0200
ctdb:events: Add 46.update-keytabs.script for 'recovered' event
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit e08b2963d98ea82cb5989f5e7c80e808859e98dd
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Wed Feb 28 13:30:30 2024 +0100
s3:libads: Call 'sync machine password script' when machine password is
updated
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit f819ad25027e3b9c2fd46d57bd1a830af678b42c
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Feb 15 10:58:13 2024 +0100
s3:utils: Remove from "net ads keytab": "add", "delete" and "add_update_ads"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit c10c49b3f00f7da2319d59b707a8c9d2acefc172
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Mon Feb 12 12:19:14 2024 +0100
s3:libads: Remove ads_keytab_create_default & friends
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit ad6a91ba745304fe53ae5d0faf4f00c25d027877
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Feb 15 10:14:28 2024 +0100
testprogs: Remove alias test from test_net_ads.sh
"net ads keytab create" no longer reads msDS-AdditionalDnsHostName from AD
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit abbf926067be41db11ed1cac4027e59d030db8ac
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Feb 15 10:14:01 2024 +0100
testprogs: Remove dnshostname related test from test_net_ads.sh
"net ads keytab create" no longer reads dNSHostName from AD
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 2304d96db328da2c6481cee9d22cfed66374187a
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Feb 15 10:13:15 2024 +0100
testprogs: Use "HOST' instead of 'host' in test_net_ads.sh
"net ads keytab create" will uses the same value as in AD,
modifications to lower case are no longer done
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 18aedcc84c873ab649accab42ad5ee19727ae4cb
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Feb 15 09:47:34 2024 +0100
testprogs: Remove upn related test from test_net_ads.sh
"net ads keytab create" will no longer read "userPrincipalName" from AD
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit d18babd1d70cec47889b6426a63275a1b8ceecd7
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Feb 15 09:15:03 2024 +0100
testprogs: Remove "keytab add", "keytab delete" and "keytab add_apdate_ads"
related tests from test_net_ads.sh
"net ads" will no longer support "keytab add", "keytab delete" and "keytab
add_apdate_ads"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 90ec8adf1f2ef8ec25ea67c066fec7f731bbb4dc
Author: Pavel Filipenský <pfili...@redhat.com>
Date: Fri Sep 3 19:10:01 2021 +0200
selftest: Add tests for keytab update
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfili...@redhat.com>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit aff928268adf66df029a126814ac3fad7262eacb
Author: Pavel Filipenský <pfili...@redhat.com>
Date: Fri Sep 3 19:07:48 2021 +0200
selftest: Add "sync machine password to keytab" to env. ad_member_idmap_nss
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfili...@redhat.com>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 253625dabf8c1e736820c4dc5c1f5d170d960574
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Feb 15 11:10:06 2024 +0100
s3:utils: Change net_ads_keytab_create() to call sync_pw2keytabs()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit eeb79875c6edc82bfcaa8ed5d0eade77d64f7e8d
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Tue Feb 13 13:43:50 2024 +0100
s3:libnet: Sync keytab during libnet_join_create_keytab()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 683f6eec40f2efbb122329800ebb2f5d2f518746
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Dec 21 13:57:38 2023 +0100
s3: Sync machine account password in
secrets_{prepare,finish}_password_change
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 7c65aa8c7bc1cd3e0da1621c24ccfeaa0c4d4a53
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Fri Jul 26 13:15:03 2024 +0200
s3:ads: Remove 'kerberos method' warning for 'net ads keytab' functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 49d09906890dbd864de155cfdb90e96527fc478e
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Dec 21 13:57:38 2023 +0100
s3:ads: Do not update system keytab from "net ads changetrustpw"
It will be done in secrets_{prepare,finish}_password_change
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit da622ccc16413c3020dd314ba50f9c1a0317824d
Author: Pavel Filipenský <pfili...@redhat.com>
Date: Mon Sep 6 16:58:17 2021 +0200
s3:lib: Sync machine password to keytab: helper functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfili...@redhat.com>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit f3ff6871197f9b3aef58804c07328ecf4feec5fe
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Tue Jan 23 17:19:30 2024 +0100
s3:libads: Request "msDS-KeyVersionNumber" from ads_find_machine_acct()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit b007fb89d59e275a82e717ea33c264d52f6899ba
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Dec 7 17:49:07 2023 +0100
s3:libads: Use the TRACE SUPPORT for keys operations
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 1185b03b275a093a6dda84fc7d8cf3b983c9a07f
Author: Pavel Filipenský <pfili...@redhat.com>
Date: Wed Jul 7 20:06:48 2021 +0200
krb5_wrap: Add TRACE SUPPORT for keys operations
The trace looks like below. Useful is the last filed - hex dump of the
data - allows to search for all manipulations.
KEYTAB_TRACE sync_pw2keytabs_process_keytab:622 add
ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM 14 17 C66D244CB26005C7D6FF9FC00FCBBE4A
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfili...@redhat.com>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 27ca58f9bf14fcdc834869fad5631fca9e1c4652
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Sun Dec 17 16:15:00 2023 +0100
s3:testparm: Add check for "sync machine password to keytab" to testparm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 09c302995826a8c54fce97b60e4bab98aec472c0
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Wed Feb 28 13:30:55 2024 +0100
docs:smbdotconf: Add parameter 'sync machine password script'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 731a25b5c80690609b4ed5523cea3a098e42de28
Author: Pavel Filipenský <pfili...@redhat.com>
Date: Fri Sep 3 19:07:01 2021 +0200
docs:smbdotconf: Add parameter 'sync machine password to keytab'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfili...@redhat.com>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 3de8d2941529af5a89069bd8e0caed0bcb508869
Author: Pavel Filipenský <pfili...@redhat.com>
Date: Wed Jun 2 15:20:46 2021 +0200
s3:lib: Merge library trusts_util into library ads
Function trust_pw_change() originally from library trustis_util was updated
to call functionality from ads library. This would introduce circular
dependency between the two libraries. To avoid it, trusts_util is merged
into ads.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750
Signed-off-by: Pavel Filipenský <pfili...@redhat.com>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 19 +
ctdb/config/events/legacy/46.update-keytabs.script | 11 +
.../security/syncmachinepasswordscript.xml | 15 +
.../security/syncmachinepasswordtokeytab.xml | 69 +
lib/krb5_wrap/krb5_samba.c | 114 +-
lib/krb5_wrap/krb5_samba.h | 118 +-
script/autobuild.py | 1 -
selftest/target/Samba3.pm | 75 +-
source3/include/secrets.h | 6 +-
source3/libads/ads_proto.h | 15 +-
source3/libads/kerberos_keytab.c | 1569 +++++++++++---------
source3/libads/ldap.c | 235 +--
source3/{libsmb => libads}/trusts_util.c | 36 +-
source3/libads/util.c | 17 +-
source3/libnet/libnet_join.c | 10 +-
source3/passdb/machine_account_secrets.c | 39 +-
source3/rpcclient/wscript_build | 2 +-
source3/script/tests/test_update_keytab.sh | 450 ++++++
.../script/tests/test_update_keytab_clustered.sh | 165 ++
source3/script/updatekeytab.sh | 3 +
source3/script/updatekeytab_test.sh | 3 +
source3/selftest/tests.py | 18 +
source3/utils/net.c | 17 +-
source3/utils/net_ads.c | 146 +-
source3/utils/testparm.c | 92 ++
source3/utils/wscript_build | 1 -
source3/wscript_build | 14 +-
source4/selftest/tests.py | 2 +-
testprogs/blackbox/test_net_ads.sh | 163 +-
29 files changed, 2000 insertions(+), 1425 deletions(-)
create mode 100755 ctdb/config/events/legacy/46.update-keytabs.script
create mode 100644 docs-xml/smbdotconf/security/syncmachinepasswordscript.xml
create mode 100644 docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
rename source3/{libsmb => libads}/trusts_util.c (97%)
create mode 100755 source3/script/tests/test_update_keytab.sh
create mode 100755 source3/script/tests/test_update_keytab_clustered.sh
create mode 100755 source3/script/updatekeytab.sh
create mode 100755 source3/script/updatekeytab_test.sh
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d366393249a..7e283f6031a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -183,10 +183,27 @@ groups. To apply a veto or hide directive to a filename
for a specific user or
group, prefix the filename with "../USERNAME/" or "../GROUPNAME/". For details
consult the updated smb.conf manpage.
+Automatic keytab update after machine password change
+-----------------------------------------------------
+
+When machine account password is updated, either by winbind doing regular
+updates or manually (e.g. net ads changetrustpw), now winbind will also support
+update of keytab entries in case you use newly added option
+'sync machine password to keytab'.
+The new parameter allows you to describe what keytabs and how should be
updated.
+A new parameter 'sync machine password script' allows to specify external
script
+that will be triggered after the automatic keytab update. For detailed
+information check the smb.conf manpage.
REMOVED FEATURES
================
+Following commands are removed:
+
+net ads keytab add <principal>
+net ads keytab delete <principal>
+net ads keytab add_update_ads
+
smb.conf changes
================
@@ -205,6 +222,8 @@ smb.conf changes
write list Hardening
veto files Added per-user and per-group vetos
hide files Added per-user and per-group hides
+ sync machine password to keytab keytabs
+ sync machine password script script
KNOWN ISSUES
diff --git a/ctdb/config/events/legacy/46.update-keytabs.script
b/ctdb/config/events/legacy/46.update-keytabs.script
new file mode 100755
index 00000000000..f207a7b6a8f
--- /dev/null
+++ b/ctdb/config/events/legacy/46.update-keytabs.script
@@ -0,0 +1,11 @@
+#!/bin/sh
+# script to update keytab
+
+[ -n "$CTDB_BASE" ] ||
+ CTDB_BASE=$(d=$(dirname "$0") && cd -P "$d" && dirname "$PWD")
+
+case "$1" in
+recovered)
+ net ads keytab create --option='sync machine password script='
--configfile="$CTDB_BASE/lib/server.conf"
+ ;;
+esac
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml
b/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml
new file mode 100644
index 00000000000..341613372f5
--- /dev/null
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="sync machine password script"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+<description>
+ <para>
+ This is the full pathname to a script that will be run by
+ <citerefentry><refentrytitle>winbindd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> when a machine account password is
updated.
+ </para>
+</description>
+
+<value type="default"/>
+<value type="example">/usr/sbin/sync_machine_password</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
new file mode 100644
index 00000000000..48d89213acf
--- /dev/null
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
@@ -0,0 +1,69 @@
+<samba:parameter name="sync machine password to keytab"
+ context="G"
+ type="cmdlist"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+<description>
+ <para>This option allows you to describe what keytabs and how should be
+ updated when machine account is changed via one of these commands
+
+<programlisting>
+wbinfo --change-secret
+rpcclient --machine-pass -c change_trust_pw
+net rpc changetrustpw
+net ads changetrustpw
+</programlisting>
+
+ or by winbindd doing regular updates (see <smbconfoption name="machine
password timeout"/>)
+
+</para>
+
+<para>The option takes a list of keytab strings. Each string has this form:
+
+<programlisting>
+
absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
+</programlisting>
+
+ where spn_spec can have exactly one of these three forms:
+<programlisting>
+ account_name
+ sync_spns
+ spn_prefixes=value1[,value2[...]]
+ spns=value1[,value2[...]]
+</programlisting>
+<para>
+ No other combinations are allowed.
+
+ Specifiers:
+ account_name - creates entry using principal 'computer$@REALM'.
+ sync_spns - uses principals received from AD DC.
+ spn_prefixes - creates principals from the prefixes and adds
netbios_aliases or additional_dns_hostnames if specified.
+ spns - creates only the principals defined in the list.
+
+ Options:
+ sync_etypes - parameter "msDS-SupportedEncryptionTypes" is read from DC
and is used to find the highest common enc type for AD and KRB5 lib.
+ sync_kvno - the key version number ("msDS-KeyVersionNumber") is
synchronized from DC, otherwise is set to -1.
+ netbios_aliases - evaluated only for SPN_SPEC_PREFIX. If present,
PREFIX/netbiosname@REALM and PREFIX/netbiosname.domainname@REALM are added for
each alias. See <smbconfoption name="netbios aliases"/>
+ additional_dns_hostnames - evaluated only for SPN_SPEC_PREFIX. If present,
PREFIX/dnshostname@REALM is added for each dns name. See <smbconfoption
name="additional dns hostnames"/>
+ machine_password - mandatory, if missing the entry is ignored. For future
use.
+</para>
+
+</para>
+<para>
+Example:
+<programlisting>
+ "/path/to/keytab0:account_name:machine_password",
+ "/path/to/keytab1:account_name:sync_etypes:sync_kvno:machine_password",
+ "/path/to/keytab2:sync_spns:machine_password",
+ "/path/to/keytab3:sync_spns:sync_kvno:machine_password",
+ "/path/to/keytab4:spn_prefixes=imap,smtp:machine_password",
+
"/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password",
+ "/path/to/keytab6:spns=wurst/brot@REALM:machine_password",
+
"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password"
+</programlisting>
+If sync_etypes or sync_kvno or sync_spns is present then winbind connects to
DC. For "offline domain join" it might be useful not to use these options.
+
+If no value is present, winbind uses value
/path/to/keytab:sync_spns:sync_kvno:machine_password
+where the path to the keytab is obtained either from the krb5 library or from
<smbconfoption name="dedicated keytab file"/>
+</para>
+</description>
+</samba:parameter>
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 517f190f217..451616c79e5 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1808,7 +1808,7 @@ krb5_error_code
smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
}
DEBUG(3, (__location__ ": Will try to delete old keytab entries\n"));
- while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
+ while (!samba_krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
bool name_ok = false;
krb5_enctype kt_entry_enctype =
smb_krb5_kt_get_enctype_from_entry(&kt_entry);
@@ -1898,7 +1898,7 @@ krb5_error_code
smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
"failed (%s)\n", error_message(ret)));
goto out;
}
- ret = krb5_kt_remove_entry(context, keytab, &kt_entry);
+ ret = samba_krb5_kt_remove_entry(context, keytab, &kt_entry);
if (ret) {
DEBUG(1, (__location__ ": krb5_kt_remove_entry() "
"failed (%s)\n", error_message(ret)));
@@ -1936,116 +1936,6 @@ out:
return ret;
}
-/**
- * @brief Add a keytab entry for the given principal
- *
- * @param[in] context The krb5 context to use.
- *
- * @param[in] keytab The keytab to add the entry to.
- *
- * @param[in] kvno The kvno to use.
- *
- * @param[in] princ_s The principal as a string.
- *
- * @param[in] salt_principal The salt principal to salt the password with.
- * Only needed for keys which support salting.
- * If no salt is used set no_salt to false and
- * pass NULL here.
- *
- * @param[in] enctype The encryption type of the keytab entry.
- *
- * @param[in] password The password of the keytab entry.
- *
- * @retval 0 on Success
- *
- * @return A corresponding KRB5 error code.
- *
- * @see smb_krb5_kt_open()
- */
-krb5_error_code smb_krb5_kt_add_password(krb5_context context,
- krb5_keytab keytab,
- krb5_kvno kvno,
- const char *princ_s,
- const char *salt_principal,
- krb5_enctype enctype,
- krb5_data *password)
-{
- krb5_error_code ret;
- krb5_keytab_entry kt_entry;
- krb5_principal princ = NULL;
- krb5_keyblock *keyp;
- krb5_principal salt_princ = NULL;
-
- ZERO_STRUCT(kt_entry);
-
- ret = smb_krb5_parse_name(context, princ_s, &princ);
- if (ret) {
- DEBUG(1, (__location__ ": smb_krb5_parse_name(%s) "
- "failed (%s)\n", princ_s, error_message(ret)));
- goto out;
- }
-
- /* Seek and delete old keytab entries */
- ret = smb_krb5_kt_seek_and_delete_old_entries(context,
- keytab,
- true, /* keep_old_kvno */
- kvno,
- true, /* enctype_only */
- enctype,
- princ_s,
- princ,
- false); /* flush */
- if (ret) {
- goto out;
- }
-
- /* If we get here, we have deleted all the old entries with kvno's
- * not equal to the current kvno-1. */
-
- keyp = KRB5_KT_KEY(&kt_entry);
-
- /* Now add keytab entries for all encryption types */
- ret = smb_krb5_parse_name(context, salt_principal, &salt_princ);
- if (ret) {
- DBG_WARNING("krb5_parse_name(%s) failed (%s)\n",
- salt_principal, error_message(ret));
- goto out;
- }
-
- ret = smb_krb5_create_key_from_string(context,
- salt_princ,
- NULL,
- password,
- enctype,
- keyp);
- krb5_free_principal(context, salt_princ);
- if (ret != 0) {
- goto out;
- }
-
- kt_entry.principal = princ;
- kt_entry.vno = kvno;
-
- DEBUG(3, (__location__ ": adding keytab entry for (%s) with "
- "encryption type (%d) and version (%d)\n",
- princ_s, enctype, kt_entry.vno));
- ret = krb5_kt_add_entry(context, keytab, &kt_entry);
- krb5_free_keyblock_contents(context, keyp);
- ZERO_STRUCT(kt_entry);
- if (ret) {
- DEBUG(1, (__location__ ": adding entry to keytab "
- "failed (%s)\n", error_message(ret)));
- goto out;
- }
-
-out:
- if (princ) {
- krb5_free_principal(context, princ);
- }
-
- return ret;
-}
-
#if defined(HAVE_KRB5_GET_CREDS_OPT_SET_IMPERSONATE) && \
defined(HAVE_KRB5_GET_CREDS_OPT_ALLOC) && \
defined(HAVE_KRB5_GET_CREDS)
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 6c04cb00f62..0acf567371c 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -25,6 +25,8 @@
#include "lib/util/data_blob.h"
#include "libcli/util/ntstatus.h"
+#include "lib/util/talloc_stack.h"
+#include "lib/util/debug.h"
#ifdef HAVE_KRB5
@@ -189,6 +191,115 @@ krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
krb5_const_principal principal,
char **unix_name);
+static inline void samba_trace_keytab_entry(krb5_context context,
+ krb5_keytab_entry kt_entry,
+ const char *func,
+ int line,
+ const char *op)
+{
+ char *princ_s = NULL;
+#define MAX_KEYLEN 64
+ char tmp[2 * MAX_KEYLEN + 1] = { 0, };
+ krb5_enctype enctype = 0;
+ krb5_keyblock *key = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
+ krb5_error_code code;
+ const uint8_t *ptr = NULL;
+ unsigned len;
+ int i;
+
+ code = smb_krb5_unparse_name(frame,
+ context,
+ kt_entry.principal,
+ &princ_s);
+ if (code != 0) {
+ goto out;
+ }
+ enctype = KRB5_KEY_TYPE(KRB5_KT_KEY(&kt_entry));
+ key = KRB5_KT_KEY(&kt_entry);
+#ifdef DEBUG_PASSWORD
+ ptr = (const uint8_t *) KRB5_KEY_DATA(key);
+ len = KRB5_KEY_LENGTH(key);
+
+ for (i = 0; i < len && i < MAX_KEYLEN; i++) {
+ snprintf(&tmp[2 * i], 3, "%02X", ptr[i]);
+ }
+#else
+ tmp[0] = 0;
+#endif
+ DEBUG(10,("KEYTAB_TRACE %36s:%-4d %3s %78s %3d %2d %s\n",
+ func,
+ line,
+ op,
+ princ_s,
+ kt_entry.vno,
+ enctype,
+ tmp));
+out:
+ TALLOC_FREE(frame);
+}
+
+#if defined(__GNUC__) && defined(DEVELOPER)
+/* http://gcc.gnu.org/onlinedocs/gcc/Statement-Exprs.html */
+
+#define samba_krb5_kt_add_entry(context, id, entry) \
+ ({ \
+ krb5_error_code _code; \
+ _code = krb5_kt_add_entry((context), (id), (entry)); \
+ if (CHECK_DEBUGLVL(10)) { \
+ samba_trace_keytab_entry((context), \
+ *(entry), \
+ __func__, \
+ __LINE__, \
+ _code == 0 ? "add" \
+ : "add FAILED"); \
+ } \
+ _code; \
+ })
+
+#define samba_krb5_kt_remove_entry(context, id, entry) \
+ ({ \
+ krb5_error_code _code; \
+ _code = krb5_kt_remove_entry((context), (id), (entry)); \
+ if (CHECK_DEBUGLVL(10)) { \
+ samba_trace_keytab_entry((context), \
+ *(entry), \
+ __func__, \
+ __LINE__, \
+ _code == 0 ? "rem" \
+ : "rem FAILED"); \
+ } \
+ _code; \
+ })
+
+#define samba_krb5_kt_next_entry(context, id, entry, cursor) \
+ ({ \
+ krb5_error_code _code; \
+ _code = krb5_kt_next_entry((context), \
+ (id), \
+ (entry), \
+ (cursor)); \
+ if (_code == 0 && CHECK_DEBUGLVL(10)) { \
+ samba_trace_keytab_entry((context), \
+ *(entry), \
+ __func__, \
+ __LINE__, \
+ "nxt"); \
+ } \
+ _code; \
+ })
+
+#else
+
+#define samba_krb5_kt_add_entry(context, id, entry) \
+ krb5_kt_add_entry((context), (id), (entry))
+#define samba_krb5_kt_remove_entry(context, id, entry) \
+ krb5_kt_remove_entry((context), (id), (entry))
+#define samba_krb5_kt_next_entry(context, id, entry, cursor) \
+ krb5_kt_next_entry((context), (id), (entry), (cursor))
+
+#endif
+
krb5_error_code smb_krb5_init_context_common(krb5_context *_krb5_context);
/*
@@ -281,13 +392,6 @@ krb5_error_code
smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
const char *princ_s,
krb5_principal princ,
bool flush);
-krb5_error_code smb_krb5_kt_add_password(krb5_context context,
- krb5_keytab keytab,
- krb5_kvno kvno,
- const char *princ_s,
- const char *salt_principal,
- krb5_enctype enctype,
- krb5_data *password);
krb5_error_code smb_krb5_get_credentials(krb5_context context,
krb5_ccache ccache,
diff --git a/script/autobuild.py b/script/autobuild.py
index 5bea99f1fde..a62ac8c162f 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -852,7 +852,6 @@ tasks = {
"./configure.developer ${PREFIX} "
"--with-selftest-prefix=./bin/ab "
"--with-cluster-support "
- "--without-ad-dc "
"--bundled-libraries=!tdb"),
("samba-make", "make"),
("samba-check", "./bin/smbd --configfile=/dev/null -b | grep
CLUSTER_SUPPORT"),
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 23c7d284e85..8d7f690ecf6 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -255,7 +255,7 @@ sub check_env($$)
ad_member_idmap_nss => ["ad_dc"],
ad_member_s3_join => ["vampire_dc"],
- clusteredmember => ["nt4_dc"],
+ clusteredmember => ["ad_dc"],
);
%Samba3::ENV_DEPS_POST = ();
@@ -497,7 +497,7 @@ sub setup_nt4_member
sub setup_clusteredmember
{
- my ($self, $prefix, $nt4_dc_vars) = @_;
+ my ($self, $prefix, $dcvars) = @_;
my $count = 0;
my $rc;
my @retvals = ();
@@ -539,7 +539,10 @@ sub setup_clusteredmember
}
my $member_options = "
- security = domain
+ security = ADS
+ workgroup = $dcvars->{DOMAIN}
+ realm = $dcvars->{REALM}
+ password server = $dcvars->{SERVER}
server signing = on
clustering = yes
rpc start on demand helpers = false
@@ -548,11 +551,12 @@ sub setup_clusteredmember
include = registry
dbwrap_tdb_mutexes:* = yes
${require_mutexes}
+ sync machine password to keytab =
$node_prefix/keytab0:account_name:machine_password:sync_kvno
";
my $node_ret = $self->provision(
prefix => "$node_prefix",
- domain => $nt4_dc_vars->{DOMAIN},
+ domain => $dcvars->{DOMAIN},
server => "$server_name",
password => "clustermember8pass",
netbios_name => "CLUSTEREDMEMBER",
@@ -618,13 +622,28 @@ sub setup_clusteredmember
$ret = {%$ctdb_data, %{$retvals[0]}};
--
Samba Shared Repository
