From de2840d73cc01b840145cca59d80c479797c1c4c Mon Sep 17 00:00:00 2001 From: Daniel Kobras Date: Thu, 8 Sep 2016 15:23:12 +0200 Subject: [PATCH 2/2] s3-libads: update arbitrary principals in keytab Let ads_keytab_add_entry() just update any principal it's given, and get rid of magic to auto-add SPNs to the machine account that would clobber and replace existing principal names. Signed-off-by: Daniel Kobras --- source3/libads/kerberos_keytab.c | 71 ++-------------------------------------- 1 file changed, 3 insertions(+), 68 deletions(-) diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c index 8c7c1c3..dac8aa9 100644 --- a/source3/libads/kerberos_keytab.c +++ b/source3/libads/kerberos_keytab.c @@ -61,10 +61,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) char *short_princ_s = NULL; char *salt_princ_s = NULL; char *password_s = NULL; - char *my_fqdn; TALLOC_CTX *tmpctx = NULL; - char *machine_name; - ADS_STATUS aderr; int i; initialize_krb5_error_table(); @@ -98,7 +95,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) password.data = password_s; password.length = strlen(password_s); - /* we need the dNSHostName value here */ tmpctx = talloc_init(__location__); if (!tmpctx) { DEBUG(0, (__location__ ": talloc_init() failed!\n")); @@ -106,24 +102,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) goto out; } - my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name()); - if (!my_fqdn) { - DEBUG(0, (__location__ ": unable to determine machine " - "account's dns name in AD!\n")); - ret = -1; - goto out; - } - - machine_name = ads_get_samaccountname(ads, tmpctx, lp_netbios_name()); - if (!machine_name) { - DEBUG(0, (__location__ ": unable to determine machine " - "account's short name in AD!\n")); - ret = -1; - goto out; - } - /*strip the trailing '$' */ - machine_name[strlen(machine_name)-1] = '\0'; - /* Construct our principal */ if (strchr_m(srvPrinc, '@')) { /* It's a fully-named principal. */ @@ -132,51 +110,14 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) ret = -1; goto out; } - } else if (srvPrinc[strlen(srvPrinc)-1] == '$') { - /* It's the machine account, as used by smbclient clients. */ - princ_s = talloc_asprintf(tmpctx, "%s@%s", - srvPrinc, lp_realm()); - if (!princ_s) { - ret = -1; - goto out; - } } else { - /* It's a normal service principal. Add the SPN now so that we - * can obtain credentials for it and double-check the salt value - * used to generate the service's keys. */ - - princ_s = talloc_asprintf(tmpctx, "%s/%s@%s", - srvPrinc, my_fqdn, lp_realm()); + /* Add our default realm. */ + princ_s = talloc_asprintf(tmpctx, "%s@%s", + srvPrinc, lp_realm()); if (!princ_s) { ret = -1; goto out; } - short_princ_s = talloc_asprintf(tmpctx, "%s/%s@%s", - srvPrinc, machine_name, - lp_realm()); - if (short_princ_s == NULL) { - ret = -1; - goto out; - } - - /* According to http://support.microsoft.com/kb/326985/en-us, - certain principal names are automatically mapped to the - host/... principal in the AD account. - So only create these in the keytab, not in AD. --jerry */ - - if (!strequal(srvPrinc, "cifs") && - !strequal(srvPrinc, "host")) { - DEBUG(3, (__location__ ": Attempting to add/update " - "'%s'\n", princ_s)); - - aderr = ads_add_service_principal_name(ads, - lp_netbios_name(), my_fqdn, srvPrinc); - if (!ADS_ERR_OK(aderr)) { - DEBUG(1, (__location__ ": failed to " - "ads_add_service_principal_name.\n")); - goto out; - } - } } kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name()); @@ -357,12 +298,6 @@ int ads_keytab_create_default(ADS_STRUCT *ads) goto done; } - p = strchr_m(srv_princ, '/'); - if (p == NULL) { - continue; - } - p[0] = '\0'; - /* Add the SPNs found on the DC */ ret = ads_keytab_add_entry(ads, srv_princ); if (ret != 0) { -- 2.9.0