Make "samba-tool domain exportkeytab" prune old keys

This slowly prepares this to be an update tool, not just a one-off export tool

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c
index 21aae7b400eb5eafba397c9eb4202bf83dab7620..c0b9147658050b8a39d817582a77455725d5c70b 100644 (file)
--- a/source4/libnet/libnet_export_keytab.c
+++ b/source4/libnet/libnet_export_keytab.c
@@ -20,7 +20,10 @@
 
 #include "includes.h"
 #include "system/kerberos.h"
+#include "auth/credentials/credentials.h"
 #include "auth/kerberos/kerberos.h"
+#include "auth/kerberos/kerberos_credentials.h"
+#include "auth/kerberos/kerberos_util.h"
 #include "kdc/samba_kdc.h"
 #include "libnet/libnet_export_keytab.h"
 
@@ -77,6 +80,7 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
 
        for (; code == 0; code = samba_kdc_nextkey(context, db_ctx, &sentry)) {
                int i;
+               bool found_previous = false;
 
                code = krb5_unparse_name(context,
                                         sentry.principal,
@@ -89,6 +93,23 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
                        goto done;
                }
 
+               if (copy_one_principal) {
+                       code = smb_krb5_remove_obsolete_keytab_entries(mem_ctx,
+                                                                      context,
+                                                                      keytab,
+                                                                      1, &sentry.principal,
+                                                                      sentry.kvno,
+                                                                      &found_previous,
+                                                                      error_string);
+                       if (code != 0) {
+                               *error_string = talloc_asprintf(mem_ctx,
+                                                               "Failed to remove old principals from keytab: %s\n",
+                                                               *error_string);
+                               status = NT_STATUS_UNSUCCESSFUL;
+                               goto done;
+                       }
+               }
+
                if (sentry.keys.len == 0) {
                        SAFE_FREE(entry_principal);
                        sdb_entry_free(&sentry);