kt_solaris.c revision 2
2N/A * The contents of this file are subject to the terms of the 2N/A * Common Development and Distribution License (the "License"). 2N/A * You may not use this file except in compliance with the License. 2N/A * See the License for the specific language governing permissions 2N/A * and limitations under the License. 2N/A * When distributing Covered Code, include this CDDL HEADER in each 2N/A * If applicable, add the following below this CDDL HEADER, with the 2N/A * fields enclosed by brackets "[]" replaced with your own identifying 2N/A * information: Portions Copyright [yyyy] [name of copyright owner] 2N/A * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. 2N/A * The default is file type w/o the write. If it's anything besides 2N/A * FILE or WRFILE then we bail as quickly as possible. * krb5_error_code k5_kt_add_ad_entries(krb5_context ctx, char **sprincs_str, * krb5_kvno kvno, uint_t flags, char *password) * Adds keys to the keytab file for a default set of service principals in an * Active Directory environment. * where ctx is the pointer passed back from krb5_init_context * where sprincs_str is an array of service principal names to be added * to the keytab file, terminated by a NULL pointer * where domain is the domain used to fully qualify the hostname for * constructing the salt in the string-to-key function. * where kvno is the key version number of the set of service principal * where flags is the set of conditions that affects the key table entries * current set of defined flags: * 0x00000001 K5_KT_FLAG_AES_SUPPORT (core set + AES-256-128 keys added) * where password is the password that will be used to derive the key for * the associated service principals in the keytab file * Note: this function is used for adding service principals to the * different, see krb5envvar(5)) file when the client belongs to an AD domain. * The keytab file is populated differently for an AD domain as the various * service principals share the same key material, unlike MIT based * Note: For encryption types; the union of the enc type flag and the * capabilities of the client is used to determine the enc type set to * populate the keytab file. * Note: The keys are not created for any AES enctypes UNLESS the * K5_KT_FLAG_AES_SUPPORT flag is set and permitted_enctypes has the AES * Note: In Active Directory environments the salt is constructed by truncating * the host name to 15 characters and only use the host svc princ as the salt, * e.g. host/<str15>.<domain>@<realm>. The realm name is determined by parsing * sprincs_str. The local host name to construct is determined by calling * gethostname(3C). If AD environments construct salts differently in the * future or this function is expanded outside of AD environments one could * derive the salt by sending an initial authentication exchange. * Note: The kvno was previously determined by performing an LDAP query of the * computer account's msDS-KeyVersionNumber attribute. If the schema changes * in the future or this function is expanded outside of AD environments then * one could derive the principal's kvno by requesting a service ticket. * Local host name could be fully qualified and/or in upper case, but * usually and appropriately not. * Windows servers currently truncate the host name to 15 characters * and only use the host svc princ as the salt, e.g. * krb5_error_code k5_kt_remove_by_realm(krb5_context ctx, char *realm) * Removes all key entries in the keytab file that match the exact realm name * where ctx is the pointer passed back from krb5_init_context * where realm is the realm name that is matched for any keytab entries * Note: if there are no entries matching realm then 0 (success) is returned * krb5_error_code k5_kt_remove_by_svcprinc(krb5_context ctx, char *sprinc_str) * Removes all key entries in the keytab file that match the exact service * principal name specified. * where ctx is the pointer passed back from krb5_init_context * where sprinc_str is the service principal name that is matched for any * keytab entries to be removed * Note: if there are no entries matching sprinc_str then 0 (success) is * krb5_error_code k5_kt_validate(krb5_context ctx, char *sprinc_str, * uint_t flags, boolean_t *valid) * The validate function determines that the service principal exists and that * it has a valid set of encryption types for said principal. * where ctx is the pointer passed back from krb5_init_context * where sprinc_str is the principal to be validated in the keytab file * where flags is the set of conditions that affects the key table entries * that the function considers valid * current set of defined flags: * 0x00000001 K5_KT_FLAG_AES_SUPPORT (core set + AES-256-128 keys are * where valid is a boolean that is set if the sprinc_str is correctly * populated in the keytab file based on the flags set else valid is unset. * Note: The validate function assumes that only one set of keys exists for * a corresponding service principal, of key version number (kvno) n. It would * consider more than one kvno set as invalid. This is from the fact that AD * clients will attempt to refresh credential caches if KRB5KRB_AP_ERR_MODIFIED * is returned by the acceptor when the requested kvno is not found within the