s4-libnet: Prepare for a "rolling update" keytab export

This mode will allow keytabs to be exported with all current keys added
to historical keys, which will be useful in a domain with many gMSA
servers that require wireshark decryption.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

diff --git a/selftest/knownfail.d/export-keytab b/selftest/knownfail.d/export-keytab
index 97d1f617f8aef1b6928c28b0460bc2558d7b0996..9fa9aad7f4965cba13a9becc51b365f46be6fc42 100644 (file)
--- a/selftest/knownfail.d/export-keytab
+++ b/selftest/knownfail.d/export-keytab
@@ -1,4 +1,3 @@
 ^samba.tests.dckeytab.samba.tests.dckeytab.DCKeytabTests.test_export_keytab_existing
 ^samba.tests.dckeytab.samba.tests.dckeytab.DCKeytabTests.test_export_keytab_not_a_dir
 ^samba.tests.dckeytab.samba.tests.dckeytab.DCKeytabTests.test_export_keytab_change3_update_keep
-^samba.tests.dckeytab.samba.tests.dckeytab.DCKeytabTests.test_export_keytab_all_keep_stale

diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c
index 2d3b0ba7c3a20106a6e02d11a903eb5d4d364e4b..a049751fb4f5b1cb0326098ff4afe48438b4a2f4 100644 (file)
--- a/source4/libnet/libnet_export_keytab.c
+++ b/source4/libnet/libnet_export_keytab.c
@@ -173,11 +173,32 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
                        for (i = 0; i < sentry.keys.len; i++) {
                                struct sdb_key *s = &(sentry.keys.val[i]);
                                krb5_keyblock *keyp;
+                               bool found;
 
                                keyp = KRB5_KT_KEY(&kt_entry);
 
                                *keyp = s->key;
 
+                               code = smb_krb5_is_exact_entry_in_keytab(mem_ctx,
+                                                                        context,
+                                                                        keytab,
+                                                                        &kt_entry,
+                                                                        &found,
+                                                                        error_string);
+                               if (code != 0) {
+                                       status = NT_STATUS_UNSUCCESSFUL;
+                                       *error_string = smb_get_krb5_error_message(context,
+                                                                                  code,
+                                                                                  mem_ctx);
+                                       DEBUG(0, ("smb_krb5_is_exact_entry_in_keytab failed code=%d, error = %s\n",
+                                                 code, *error_string));
+                                       goto done;
+                               }
+
+                               if (found) {
+                                       continue;
+                               }
+
                                code = krb5_kt_add_entry(context, keytab, &kt_entry);
                                if (code != 0) {
                                        status = NT_STATUS_UNSUCCESSFUL;
@@ -210,13 +231,22 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
        }
 
        if (keys_exported == false) {
-               *error_string = talloc_asprintf(mem_ctx,
-                                               "No keys found while exporting %s.  "
-                                               "Consider connecting to a local sam.ldb, "
-                                               "only gMSA accounts can be exported over "
-                                               "LDAP and connecting user needs to be authorized",
-                                               principal ? principal : "all users in domain");
-               status = NT_STATUS_NO_USER_KEYS;
+               if (keep_stale_entries == false) {
+                       *error_string = talloc_asprintf(mem_ctx,
+                                                       "No keys found while exporting %s.  "
+                                                       "Consider connecting to a local sam.ldb, "
+                                                       "only gMSA accounts can be exported over "
+                                                       "LDAP and connecting user needs to be authorized",
+                                                       principal ? principal : "all users in domain");
+                       status = NT_STATUS_NO_USER_KEYS;
+               } else {
+                       DBG_NOTICE("No new keys found while exporting %s.  "
+                                  "If new keys were expected, consider connecting "
+                                  "to a local sam.ldb, only gMSA accounts can be exported over "
+                                  "LDAP and connecting user needs to be authorized\n",
+                                  principal ? principal : "all users in domain");
+                       status = NT_STATUS_OK;
+               }
        } else {
                status = NT_STATUS_OK;
        }