/*
*/
/*
* kt_solaris.c is to provide set of keytab interfaces contracted with SMB team.
*/
#include "k5-int.h"
#include <errno.h>
#include <netdb.h>
#include <strings.h>
#include <stdio.h>
#include <assert.h>
#include <ctype.h>
#include "kt_solaris.h"
static krb5_error_code
{
return (code);
/*
* The default is file type w/o the write. If it's anything besides
* FILE or WRFILE then we bail as quickly as possible.
*/
else
return (EINVAL);
}
static krb5_error_code
const char *pw)
{
return (code);
}
goto cleanup;
return (code);
}
/*
* krb5_error_code k5_kt_add_ad_entries(krb5_context ctx, char **sprincs_str,
* krb5_kvno kvno, uint_t flags, char *password)
*
* Adds keys to the keytab file for a default set of service principals for
* the specified host (or local host) in an Active Directory environment.
*
* where ctx is the pointer passed back from krb5_init_context
* where sprincs_str is an array of service principal names to be added
* to the keytab file, terminated by a NULL pointer
* where domain is the domain used to fully qualify the hostname for
* constructing the salt in the string-to-key function.
* where kvno is the key version number of the set of service principal
* keys to be added
* where flags is the set of conditions that affects the key table entries
* current set of defined flags:
*
* encryption type
* ---------------
* 0x00000001 K5_KT_FLAG_AES_SUPPORT (core set + AES-256-128 keys added)
*
* where password is the password that will be used to derive the key for
* the associated service principals in the keytab file
* where hostname is the unqualified hostname of the system that will be used to
* derive the key salt. If NULL is specified, this function will use the hostname
* of the local system.
*
* Note: this function is used for adding service principals to the
* local /etc/krb5/krb5.keytab (unless KRB5_KTNAME has been set to something
* different, see krb5envvar(5)) file when the client belongs to an AD domain.
* The keytab file is populated differently for an AD domain as the various
* service principals share the same key material, unlike MIT based
* implementations.
*
* Note: For encryption types; the union of the enc type flag and the
* capabilities of the client is used to determine the enc type set to
* populate the keytab file.
*
* Note: The keys are not created for any AES enctypes UNLESS the
* K5_KT_FLAG_AES_SUPPORT flag is set and permitted_enctypes has the AES
* enctypes enabled.
*
* Note: In Active Directory environments the salt is constructed by truncating
* the host name to 15 characters and only use the host svc princ as the salt,
* e.g. host/<str15>.<domain>@<realm>. The realm name is determined by parsing
* sprincs_str. The local host name to construct is determined by calling
* gethostname(3C). If AD environments construct salts differently in the
* future or this function is expanded outside of AD environments one could
* derive the salt by sending an initial authentication exchange.
*
* Note: The kvno was previously determined by performing an LDAP query of the
* computer account's msDS-KeyVersionNumber attribute. If the schema changes
* in the future or this function is expanded outside of AD environments then
* one could derive the principal's kvno by requesting a service ticket.
*/
{
return (code);
goto cleanup;
}
goto cleanup;
}
/*
* case, but usually and appropriately not.
*/
ptr = '\0';
} else {
}
/*
* Windows servers currently truncate the host name to 15 characters
* and only use the host svc princ as the salt, e.g.
* host/str15.domain@realm
*/
realm) + 1;
goto cleanup;
}
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
if ((!(flags & K5_KT_FLAG_AES_SUPPORT) &&
continue;
}
if (penctype) {
if (code != 0)
goto cleanup;
else if (similar)
continue;
}
if (code != 0)
goto cleanup;
}
}
return (code);
}
#define PRINCIPAL 0
static krb5_error_code
{
goto cleanup;
} else
return (EINVAL);
goto cleanup;
goto cleanup;
}
if (code != 0) {
goto cleanup;
}
if (code != 0) {
goto cleanup;
}
if (code != 0) {
goto cleanup;
}
}
}
goto cleanup;
return (code);
}
/*
* krb5_error_code k5_kt_remove_by_realm(krb5_context ctx, char *realm)
*
* Removes all key entries in the keytab file that match the exact realm name
* specified.
*
* where ctx is the pointer passed back from krb5_init_context
* where realm is the realm name that is matched for any keytab entries
* to be removed
*
* Note: if there are no entries matching realm then 0 (success) is returned
*/
{
}
/*
* krb5_error_code k5_kt_remove_by_svcprinc(krb5_context ctx, char *sprinc_str)
*
* Removes all key entries in the keytab file that match the exact service
* principal name specified.
*
* where ctx is the pointer passed back from krb5_init_context
* where sprinc_str is the service principal name that is matched for any
* keytab entries to be removed
*
* Note: if there are no entries matching sprinc_str then 0 (success) is
* returned
*/
{
}
/*
* krb5_error_code k5_kt_validate(krb5_context ctx, char *sprinc_str,
* uint_t flags, boolean_t *valid)
*
* The validate function determines that the service principal exists and that
* it has a valid set of encryption types for said principal.
*
* where ctx is the pointer passed back from krb5_init_context
* where sprinc_str is the principal to be validated in the keytab file
* where flags is the set of conditions that affects the key table entries
* that the function considers valid
* current set of defined flags:
*
* encryption type
* ---------------
* 0x00000001 K5_KT_FLAG_AES_SUPPORT (core set + AES-256-128 keys are
* valid)
*
* where valid is a boolean that is set if the sprinc_str is correctly
* populated in the keytab file based on the flags set else valid is unset.
*
* Note: The validate function assumes that only one set of keys exists for
* a corresponding service principal, of key version number (kvno) n. It would
* consider more than one kvno set as invalid. This is from the fact that AD
* clients will attempt to refresh credential caches if KRB5KRB_AP_ERR_MODIFIED
* is returned by the acceptor when the requested kvno is not found within the
* keytab file.
*/
{
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
if (penctype) {
if (code != 0) {
goto cleanup;
} else if (similar)
continue;
}
kt_entries++;
}
}
aes_count++;
}
}
}
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
return (code);
}