The branch, master has been updated
via 6d6531d0e21 testprogs: Use 'sync machine password to keytab' for
keytab creation
via 6008120a77e testprogs: Remove dead code
via 5e5f0e3742b docs-xml: Document 'net ads keytab list'
via 2f4c6c6633b s3:net: 'net ads keytab list' should only list default
keytab
via 684ca0b028b s3:net: Remove `net ads keytab flush`
from 7089ece58ef smbd: convert all fsp->fh->private_options to fsp_flags
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 6d6531d0e21d37f85e01e4c849dc5051b2a8a708
Author: Andreas Schneider <[email protected]>
Date: Fri Apr 11 09:32:30 2025 +0200
testprogs: Use 'sync machine password to keytab' for keytab creation
We want to get rid of dedicatedkeytabfile for writing keytabs.
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Pavel Filipenský <[email protected]>
Autobuild-User(master): Andreas Schneider <[email protected]>
Autobuild-Date(master): Fri Apr 11 08:38:49 UTC 2025 on atb-devel-224
commit 6008120a77e67853307a58476afc6504ff7a538b
Author: Andreas Schneider <[email protected]>
Date: Fri Apr 11 09:27:02 2025 +0200
testprogs: Remove dead code
The test for this has been removed already, this is just leftover.
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Pavel Filipenský <[email protected]>
commit 5e5f0e3742b6141d212d31c24f503c96e5d74be9
Author: Andreas Schneider <[email protected]>
Date: Thu Apr 10 17:34:10 2025 +0200
docs-xml: Document 'net ads keytab list'
Reviewed-by: Pavel Filipenský <[email protected]>
commit 2f4c6c6633b75e98f967483dde39d8b8a6967908
Author: Andreas Schneider <[email protected]>
Date: Thu Apr 10 16:13:42 2025 +0200
s3:net: 'net ads keytab list' should only list default keytab
If you don't specify a keytab, assume we just want the default keytab. This
will
make upcoming changes to the code easier.
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Pavel Filipenský <[email protected]>
commit 684ca0b028b2f6d4ba2c616cda62e52a075f869f
Author: Andreas Schneider <[email protected]>
Date: Thu Apr 10 16:07:46 2025 +0200
s3:net: Remove `net ads keytab flush`
This removes all entries from a keytab *and* removes all SPNs from the AD
machine account. We should not do that and if you want to get rid of the
keytab
you can use `rm`.
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Pavel Filipenský <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/net.8.xml | 9 +++
source3/libads/ads_proto.h | 1 -
source3/libads/kerberos_keytab.c | 129 ++++++-------------------------------
source3/utils/net_ads.c | 44 +------------
testprogs/blackbox/test_net_ads.sh | 34 ++++------
5 files changed, 40 insertions(+), 177 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index 01b704c8841..a2cdcac1e9c 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1636,6 +1636,15 @@ available.
</para>
</refsect2>
+<refsect2>
+ <title>ADS KEYTAB <replaceable>LIST</replaceable>
<replaceable>[keytab]</replaceable></title>
+
+ <para>
+ The command will list the contents of a keytab. If no keytab is
+ specified it will display the default keytab configured by KRB5.
+ </para>
+</refsect2>
+
<refsect2>
<title>(Removed!) ADS KEYTAB <replaceable>DELETE</replaceable>
<replaceable>(principal | machine | serviceclass | windows
SPN)</replaceable></title>
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index 8440c35e46d..e5b68530866 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -62,7 +62,6 @@ void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct
security_descripto
/* The following definitions come from libads/kerberos_keytab.c */
-int ads_keytab_flush(ADS_STRUCT *ads);
int ads_keytab_list(const char *keytab_name);
/* The following definitions come from libads/net_ads_setspn.c */
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 49a892e5a55..ed26c6af499 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -34,13 +34,13 @@
#ifdef HAVE_KRB5
-#ifdef HAVE_ADS
-
/* This MAX_NAME_LEN is a constant defined in krb5.h */
#ifndef MAX_KEYTAB_NAME_LEN
#define MAX_KEYTAB_NAME_LEN 1100
#endif
+#ifdef HAVE_ADS
+
enum spn_spec_type {
SPN_SPEC_ACCOUNT_NAME,
SPN_SPEC_SYNC_ACCOUNT_NAME,
@@ -1152,108 +1152,6 @@ params_ready:
TALLOC_FREE(frame);
return NT_STATUS_OK;
}
-
-static krb5_error_code ads_keytab_open(krb5_context context,
- krb5_keytab *keytab)
-{
- char keytab_str[MAX_KEYTAB_NAME_LEN] = {0};
- const char *keytab_name = NULL;
- krb5_error_code ret = 0;
-
- switch (lp_kerberos_method()) {
- case KERBEROS_VERIFY_SYSTEM_KEYTAB:
- case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
- ret = krb5_kt_default_name(context,
- keytab_str,
- sizeof(keytab_str) - 2);
- if (ret != 0) {
- DBG_WARNING("Failed to get default keytab name\n");
- goto out;
- }
- keytab_name = keytab_str;
- break;
- case KERBEROS_VERIFY_DEDICATED_KEYTAB:
- keytab_name = lp_dedicated_keytab_file();
- break;
- default:
- DBG_ERR("Invalid kerberos method set (%d)\n",
- lp_kerberos_method());
- ret = KRB5_KT_BADNAME;
- goto out;
- }
-
- if (keytab_name == NULL || keytab_name[0] == '\0') {
- DBG_ERR("Invalid keytab name\n");
- ret = KRB5_KT_BADNAME;
- goto out;
- }
-
- ret = smb_krb5_kt_open(context, keytab_name, true, keytab);
- if (ret != 0) {
- DBG_WARNING("smb_krb5_kt_open failed (%s)\n",
- error_message(ret));
- goto out;
- }
-
-out:
- return ret;
-}
-
-/**********************************************************************
- Flushes all entries from the system keytab.
-***********************************************************************/
-
-int ads_keytab_flush(ADS_STRUCT *ads)
-{
- krb5_error_code ret = 0;
- krb5_context context = NULL;
- krb5_keytab keytab = NULL;
- ADS_STATUS aderr;
-
- ret = smb_krb5_init_context_common(&context);
- if (ret) {
- DBG_ERR("kerberos init context failed (%s)\n",
- error_message(ret));
- return ret;
- }
-
- ret = ads_keytab_open(context, &keytab);
- if (ret != 0) {
- goto out;
- }
-
- /* Seek and delete all old keytab entries */
- ret = smb_krb5_kt_seek_and_delete_old_entries(context,
- keytab,
- false, /* keep_old_kvno */
- -1,
- false, /* enctype_only */
- ENCTYPE_NULL,
- NULL,
- NULL,
- true); /* flush */
- if (ret) {
- goto out;
- }
-
- aderr = ads_clear_service_principal_names(ads, lp_netbios_name());
- if (!ADS_ERR_OK(aderr)) {
- DEBUG(1, (__location__ ": Error while clearing service "
- "principal listings in LDAP.\n"));
- ret = -1;
- goto out;
- }
-
-out:
- if (keytab) {
- krb5_kt_close(context, keytab);
- }
- if (context) {
- krb5_free_context(context);
- }
- return ret;
-}
-
#endif /* HAVE_ADS */
/**********************************************************************
@@ -1267,6 +1165,7 @@ int ads_keytab_list(const char *keytab_name)
krb5_keytab keytab = NULL;
krb5_kt_cursor cursor;
krb5_keytab_entry kt_entry;
+ char default_keytab[MAX_KEYTAB_NAME_LEN] = {0};
ZERO_STRUCT(kt_entry);
ZERO_STRUCT(cursor);
@@ -1279,14 +1178,22 @@ int ads_keytab_list(const char *keytab_name)
}
if (keytab_name == NULL) {
-#ifdef HAVE_ADS
- ret = ads_keytab_open(context, &keytab);
-#else
- ret = ENOENT;
-#endif
- } else {
- ret = smb_krb5_kt_open(context, keytab_name, False, &keytab);
+ /*
+ * If you don't specify a keytab, assume we want the default
+ * keytab.
+ */
+ ret = krb5_kt_default_name(context,
+ default_keytab,
+ sizeof(default_keytab) - 2);
+ if (ret != 0) {
+ DBG_WARNING("Failed to get default keytab name\n");
+ goto out;
+ }
+
+ keytab_name = default_keytab;
}
+
+ ret = smb_krb5_kt_open(context, keytab_name, false, &keytab);
if (ret) {
DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
error_message(ret)));
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 0128f3eb7e8..3ef2b41e5a3 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2911,40 +2911,6 @@ out:
return ret;
}
-static int net_ads_keytab_flush(struct net_context *c,
- int argc,
- const char **argv)
-{
- TALLOC_CTX *tmp_ctx = talloc_stackframe();
- ADS_STRUCT *ads = NULL;
- ADS_STATUS status;
- int ret = -1;
-
- if (c->display_usage) {
- d_printf( "%s\n"
- "net ads keytab flush\n"
- " %s\n",
- _("Usage:"),
- _("Delete the whole keytab"));
- TALLOC_FREE(tmp_ctx);
- return -1;
- }
-
- if (!c->explicit_credentials) {
- net_use_krb_machine_account(c);
- }
-
- status = ads_startup(c, true, tmp_ctx, &ads);
- if (!ADS_ERR_OK(status)) {
- goto out;
- }
-
- ret = ads_keytab_flush(ads);
-out:
- TALLOC_FREE(tmp_ctx);
- return ret;
-}
-
static int net_ads_keytab_create(struct net_context *c, int argc, const char
**argv)
{
NTSTATUS ntstatus;
@@ -2978,7 +2944,7 @@ static int net_ads_keytab_list(struct net_context *c, int
argc, const char **arg
d_printf("%s\n%s",
_("Usage:"),
_("net ads keytab list [keytab]\n"
- " List a local keytab\n"
+ " List a local keytab (default: krb5 default)\n"
" keytab\tKeytab to list\n"));
return -1;
}
@@ -3001,14 +2967,6 @@ int net_ads_keytab(struct net_context *c, int argc,
const char **argv)
N_("net ads keytab create\n"
" Create (sync) a fresh keytab or update existing
one (see also smb.conf 'sync machine password to keytab'.")
},
- {
- "flush",
- net_ads_keytab_flush,
- NET_TRANSPORT_ADS,
- N_("Remove all keytab entries"),
- N_("net ads keytab flush\n"
- " Remove all keytab entries")
- },
{
"list",
net_ads_keytab_list,
diff --git a/testprogs/blackbox/test_net_ads.sh
b/testprogs/blackbox/test_net_ads.sh
index b14dc2b1633..5340056cc3e 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -92,7 +92,6 @@ if [ ! -f $dedicated_keytab_file ]; then
fi
if [ -f $dedicated_keytab_file ]; then
- testit "keytab list (dedicated keytab)" $VALGRIND $net_tool ads keytab
list --option="kerberosmethod=dedicatedkeytab"
--option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed
+ 1)
testit "keytab list keytab specified on cmdline" $VALGRIND $net_tool
ads keytab list $dedicated_keytab_file || failed=$(expr $failed + 1)
fi
@@ -141,28 +140,19 @@ testit_grep "dns alias SPN" $dns_alias2 $VALGRIND
$net_tool ads search -P samacc
testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P
samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=$(expr $failed +
1)
testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P
samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=$(expr $failed +
1)
-# Test binary msDS-AdditionalDnsHostName like ones added by Windows DC
-short_alias_file="$BASEDIR/$WORKDIR/short_alias_file"
-printf 'short_alias\0$' >$short_alias_file
-cat >$BASEDIR/$WORKDIR/tmpldbmodify <<EOF
-dn: CN=$HOSTNAME,$computers_dn
-changetype: modify
-add: msDS-AdditionalDnsHostName
-msDS-AdditionalDnsHostName:< file://$short_alias_file
-EOF
-
-testit "add binary msDS-AdditionalDnsHostName" $VALGRIND $ldbmodify -k yes
-U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM
$BASEDIR/$WORKDIR/tmpldbmodify || failed=$(expr $failed + 1)
-
-testit_grep "addl short alias" short_alias $ldbsearch --show-binary
-U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b
"CN=$HOSTNAME,CN=Computers,$base_dn" msDS-AdditionalDnsHostName ||
failed=$(expr $failed + 1)
-
-rm -f $BASEDIR/$WORKDIR/tmpldbmodify $short_alias_file
-
dedicated_keytab_file="$BASEDIR/$WORKDIR/test_dns_aliases_dedicated_krb5.keytab"
-
-testit "dns alias create_keytab" $VALGRIND $net_tool ads keytab create
--option="kerberosmethod=dedicatedkeytab"
--option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed
+ 1)
-
-testit_grep "dns alias1 check keytab" "HOST/${dns_alias1}@$REALM" $net_tool
ads keytab list --option="kerberosmethod=dedicatedkeytab"
--option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed
+ 1)
-testit_grep "dns alias2 check keytab" "HOST/${dns_alias2}@$REALM" $net_tool
ads keytab list --option="kerberosmethod=dedicatedkeytab"
--option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed
+ 1)
+testit "dns alias create_keytab" \
+ $VALGRIND $net_tool ads keytab create
--option="syncmachinepasswordtokeytab=${dedicated_keytab_file}:sync_spns:machine_password"
|| \
+ failed=$(expr $failed + 1)
+
+testit_grep "dns alias1 check keytab" \
+ "HOST/${dns_alias1}@$REALM" \
+ $net_tool ads keytab list "${dedicated_keytab_file}" || \
+ failed=$(expr $failed + 1)
+testit_grep "dns alias2 check keytab" \
+ "HOST/${dns_alias2}@$REALM" \
+ $net_tool ads keytab list "${dedicated_keytab_file}" || \
+ failed=$(expr $failed + 1)
rm -f $dedicated_keytab_file
--
Samba Shared Repository
