2N/A * The contents of this file are subject to the terms of the 2N/A * Common Development and Distribution License (the "License"). 2N/A * You may not use this file except in compliance with the License. 2N/A * See the License for the specific language governing permissions 2N/A * and limitations under the License. 2N/A * When distributing Covered Code, include this CDDL HEADER in each 2N/A * If applicable, add the following below this CDDL HEADER, with the 2N/A * fields enclosed by brackets "[]" replaced with your own identifying 2N/A * information: Portions Copyright [yyyy] [name of copyright owner] 2N/A * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. 2N/A * The default is file type w/o the write. If it's anything besides 2N/A * FILE or WRFILE then we bail as quickly as possible. 2N/A * krb5_error_code k5_kt_add_ad_entries(krb5_context ctx, char **sprincs_str, 2N/A * krb5_kvno kvno, uint_t flags, char *password) 2N/A * Adds keys to the keytab file for a default set of service principals in an 2N/A * Active Directory environment. 2N/A * where ctx is the pointer passed back from krb5_init_context 2N/A * where sprincs_str is an array of service principal names to be added 2N/A * to the keytab file, terminated by a NULL pointer 2N/A * where domain is the domain used to fully qualify the hostname for 2N/A * constructing the salt in the string-to-key function. 2N/A * where kvno is the key version number of the set of service principal 2N/A * where flags is the set of conditions that affects the key table entries 2N/A * current set of defined flags: 2N/A * 0x00000001 K5_KT_FLAG_AES_SUPPORT (core set + AES-256-128 keys added) 2N/A * where password is the password that will be used to derive the key for 2N/A * the associated service principals in the keytab file 2N/A * Note: this function is used for adding service principals to the 2N/A * different, see krb5envvar(5)) file when the client belongs to an AD domain. 2N/A * The keytab file is populated differently for an AD domain as the various 2N/A * service principals share the same key material, unlike MIT based 2N/A * Note: For encryption types; the union of the enc type flag and the 2N/A * capabilities of the client is used to determine the enc type set to 2N/A * populate the keytab file. 2N/A * Note: The keys are not created for any AES enctypes UNLESS the 2N/A * K5_KT_FLAG_AES_SUPPORT flag is set and permitted_enctypes has the AES 2N/A * Note: In Active Directory environments the salt is constructed by truncating 2N/A * the host name to 15 characters and only use the host svc princ as the salt, 2N/A * e.g. host/<str15>.<domain>@<realm>. The realm name is determined by parsing 2N/A * sprincs_str. The local host name to construct is determined by calling 2N/A * gethostname(3C). If AD environments construct salts differently in the 2N/A * future or this function is expanded outside of AD environments one could 2N/A * derive the salt by sending an initial authentication exchange. 2N/A * Note: The kvno was previously determined by performing an LDAP query of the 2N/A * computer account's msDS-KeyVersionNumber attribute. If the schema changes 2N/A * in the future or this function is expanded outside of AD environments then 2N/A * one could derive the principal's kvno by requesting a service ticket. 2N/A * Local host name could be fully qualified and/or in upper case, but 2N/A * usually and appropriately not. 2N/A * Windows servers currently truncate the host name to 15 characters 2N/A * and only use the host svc princ as the salt, e.g. 2N/A * krb5_error_code k5_kt_remove_by_realm(krb5_context ctx, char *realm) 2N/A * Removes all key entries in the keytab file that match the exact realm name 2N/A * where ctx is the pointer passed back from krb5_init_context 2N/A * where realm is the realm name that is matched for any keytab entries 2N/A * Note: if there are no entries matching realm then 0 (success) is returned 2N/A * krb5_error_code k5_kt_remove_by_svcprinc(krb5_context ctx, char *sprinc_str) 2N/A * Removes all key entries in the keytab file that match the exact service 2N/A * principal name specified. 2N/A * where ctx is the pointer passed back from krb5_init_context 2N/A * where sprinc_str is the service principal name that is matched for any 2N/A * keytab entries to be removed 2N/A * Note: if there are no entries matching sprinc_str then 0 (success) is 2N/A * krb5_error_code k5_kt_validate(krb5_context ctx, char *sprinc_str, 2N/A * uint_t flags, boolean_t *valid) 2N/A * The validate function determines that the service principal exists and that 2N/A * it has a valid set of encryption types for said principal. 2N/A * where ctx is the pointer passed back from krb5_init_context 2N/A * where sprinc_str is the principal to be validated in the keytab file 2N/A * where flags is the set of conditions that affects the key table entries 2N/A * that the function considers valid 2N/A * current set of defined flags: 2N/A * 0x00000001 K5_KT_FLAG_AES_SUPPORT (core set + AES-256-128 keys are 2N/A * where valid is a boolean that is set if the sprinc_str is correctly 2N/A * populated in the keytab file based on the flags set else valid is unset. 2N/A * Note: The validate function assumes that only one set of keys exists for 2N/A * a corresponding service principal, of key version number (kvno) n. It would 2N/A * consider more than one kvno set as invalid. This is from the fact that AD 2N/A * clients will attempt to refresh credential caches if KRB5KRB_AP_ERR_MODIFIED 2N/A * is returned by the acceptor when the requested kvno is not found within the