From: Jo Sutton <josutton@catalyst.net.nz>
Date: Fri, 26 Apr 2024 01:54:42 +0000 (+1200)
Subject: s4:libnet: Allow simulating AS‐REQ flags combination for keytab export
X-Git-Tag: tdb-1.4.11~577
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5ea07824655170fb20bb0c6862d7697ca96b8697;p=thirdparty%2Fsamba.git

s4:libnet: Allow simulating AS‐REQ flags combination for keytab export

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c
index 77c48f6cc9f..fbe94068f58 100644
--- a/source4/libnet/libnet_export_keytab.c
+++ b/source4/libnet/libnet_export_keytab.c
@@ -410,7 +410,7 @@ NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, s
 		}
 	}
 
-	sdb_flags = SDB_F_ADMIN_DATA;
+	sdb_flags = r->in.as_for_AS_REQ ? SDB_F_FOR_AS_REQ : SDB_F_ADMIN_DATA;
 
 	status = sdb_kt_copy(mem_ctx,
 			     smb_krb5_context,
diff --git a/source4/libnet/libnet_export_keytab.h b/source4/libnet/libnet_export_keytab.h
index 706e88c2e20..a5536856c97 100644
--- a/source4/libnet/libnet_export_keytab.h
+++ b/source4/libnet/libnet_export_keytab.h
@@ -26,6 +26,7 @@ struct libnet_export_keytab {
 		struct ldb_context *samdb;
 		bool keep_stale_entries;
 		bool only_current_keys;
+		bool as_for_AS_REQ;
 	} in;
 	struct {
 		const char *error_string;
diff --git a/source4/libnet/py_net_dckeytab.c b/source4/libnet/py_net_dckeytab.c
index 7de4793b99f..d3770e1ec5a 100644
--- a/source4/libnet/py_net_dckeytab.c
+++ b/source4/libnet/py_net_dckeytab.c
@@ -39,6 +39,7 @@ static PyObject *py_net_export_keytab(py_net_Object *self, PyObject *args, PyObj
 				  "principal",
 				  "keep_stale_entries",
 				  "only_current_keys",
+				  "as_for_AS_REQ",
 				  NULL };
 	NTSTATUS status;
 	/*
@@ -47,18 +48,21 @@ static PyObject *py_net_export_keytab(py_net_Object *self, PyObject *args, PyObj
 	 */
 	int keep_stale_entries = false;
 	int only_current_keys = false;
+	int as_for_AS_REQ = false;
 
-	if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s|Ozpp:export_keytab", discard_const_p(char *, kwnames),
+	if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s|Ozppp:export_keytab", discard_const_p(char *, kwnames),
 					 &r.in.keytab_name,
 					 &py_samdb,
 					 &r.in.principal,
 					 &keep_stale_entries,
-					 &only_current_keys)) {
+					 &only_current_keys,
+					 &as_for_AS_REQ)) {
 		return NULL;
 	}
 
 	r.in.keep_stale_entries = keep_stale_entries;
 	r.in.only_current_keys = only_current_keys;
+	r.in.as_for_AS_REQ = as_for_AS_REQ;
 
 	if (py_samdb == NULL) {
 		r.in.samdb = NULL;
@@ -90,8 +94,13 @@ static PyObject *py_net_export_keytab(py_net_Object *self, PyObject *args, PyObj
 
 static const char py_net_export_keytab_doc[] =
 	"export_keytab(keytab, samdb=None, principal=None, "
-	"keep_stale_entries=False, only_current_keys=False)\n\n"
-	"Export the DC keytab to a keytab file.";
+	"keep_stale_entries=False, only_current_keys=False, "
+	"as_for_AS_REQ=False)\n\n"
+	"Export the DC keytab to a keytab file.\n\n"
+	"Pass as_for_AS_REQ=True to simulate the combination of flags normally "
+	"utilized for an ASâREQ. Sambaâs testsuite uses this to verify which "
+	"keys the KDC would see â some combination of previous and current "
+	"keys â for a Group Managed Service Account performing an ASâREQ.";
 
 static PyMethodDef export_keytab_method_table[] = {
 	{"export_keytab", PY_DISCARD_FUNC_SIG(PyCFunction,