From 5622e198027b5e1e52fedb78f1b96ed42e1fced6 Mon Sep 17 00:00:00 2001
From: Daniel Kobras <d.kobras@science-computing.de>
Date: Thu, 8 Sep 2016 15:11:49 +0200
Subject: [PATCH 1/2] s3:utils/net: add SPN entries from net ads

source3/libads/kerberos_keytab.c::ads_keytab_add_entry() tries to second-guess
when new keytab entries should also be added as servicePrincipalNames to the
machine account, but 'net ads keytab add' is the only case where we should
ever encounter a non-existing SPN. Adding this logic to the caller allows us
to simplify ads_keytab_add_entry() later on.

Signed-off-by: Daniel Kobras <d.kobras@science-computing.de>
---
 source3/utils/net_ads.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 57 insertions(+), 1 deletion(-)

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index e6b9fdc..0e7b2bd 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2609,7 +2609,15 @@ static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv
 {
 	int i;
 	int ret = 0;
+	char *my_fqdn;
+	char *princ_s;
 	ADS_STRUCT *ads;
+	ADS_STATUS aderr;
+	TALLOC_CTX *ctx = NULL;
+
+#ifdef DEVELOPER
+	talloc_enable_leak_report();
+#endif
 
 	if (c->display_usage) {
 		d_printf("%s\n%s",
@@ -2625,10 +2633,58 @@ static int net_ads_keytab_add(struct net_context *c, int argc, const char **argv
 	if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
 		return -1;
 	}
+
+	if (!(ctx = talloc_init("net_ads_keytab_add"))) {
+		d_fprintf(stderr, _("Could not initialise talloc context\n"));
+		return -1;
+	}
+
+	my_fqdn = ads_get_dnshostname(ads, ctx, lp_netbios_name());
+	if (!my_fqdn) {
+		DEBUG(0, (__location__ ": unable to determine machine "
+		          "account's dns name in AD!\n"));
+		return -1;
+	}
+
 	for (i = 0; i < argc; i++) {
-		ret |= ads_keytab_add_entry(ads, argv[i]);
+		DEBUG(3, (__location__ ": Attempting to add/update "
+			  "'%s'\n", argv[i]));
+
+		/* foreign realm? -> just add to keytab and hope for the best */
+		if (strchr_m(argv[i], '@')) {
+			DEBUG(3, (__location__ ": skip adding principal from arbitrary realm to AD"));
+			ret |= ads_keytab_add_entry(ads, argv[i]);
+			continue;
+		}
+
+		/* machine account -> just add to keytab, should already be present in AD */
+		if (strlen(argv[i]-1) > 0 &&
+		           argv[i][strlen(argv[i]-1)] == '$') {
+			DEBUG(3, (__location__ ": no need to add machine principal to AD"));
+			ret |= ads_keytab_add_entry(ads, argv[i]);
+			continue;
+		}
+
+		/* add two new SPNs (with machine name and dNSHostName suffix, respectively)
+		 * to our machine account */
+		aderr = ads_add_service_principal_name(ads, lp_netbios_name(), \
+		                                       my_fqdn, argv[i]);
+
+		if (!ADS_ERR_OK(aderr)) {
+			DEBUG(1, (__location__ ": failed to "
+				 "ads_add_service_principal_name.\n"));
+			continue;
+		}
+
+		/* add keytab entries for both SPNs */
+		princ_s = talloc_asprintf(ctx, "%s/%s@%s", argv[i], lp_netbios_name(), lp_realm());
+		ret |= ads_keytab_add_entry(ads, princ_s);
+
+		princ_s = talloc_asprintf(ctx, "%s/%s@%s", argv[i], my_fqdn, lp_realm());
+		ret |= ads_keytab_add_entry(ads, princ_s);
 	}
 	ads_destroy(&ads);
+	TALLOC_FREE(ctx);
 	return ret;
 }
 
-- 
2.9.0