From: Andreas Schneider <asn@samba.org>
Date: Thu, 10 Apr 2025 14:13:42 +0000 (+0200)
Subject: s3:net: 'net ads keytab list' should only list default keytab
X-Git-Tag: tevent-0.17.0~351
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f4c6c6633b75e98f967483dde39d8b8a6967908;p=thirdparty%2Fsamba.git

s3:net: 'net ads keytab list' should only list default keytab

If you don't specify a keytab, assume we just want the default keytab. This will
make upcoming changes to the code easier.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
---

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 8d6b990b651..ed26c6af499 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -34,13 +34,13 @@
 
 #ifdef HAVE_KRB5
 
-#ifdef HAVE_ADS
-
 /* This MAX_NAME_LEN is a constant defined in krb5.h */
 #ifndef MAX_KEYTAB_NAME_LEN
 #define MAX_KEYTAB_NAME_LEN 1100
 #endif
 
+#ifdef HAVE_ADS
+
 enum spn_spec_type {
 	SPN_SPEC_ACCOUNT_NAME,
 	SPN_SPEC_SYNC_ACCOUNT_NAME,
@@ -1152,52 +1152,6 @@ params_ready:
 	TALLOC_FREE(frame);
 	return NT_STATUS_OK;
 }
-
-static krb5_error_code ads_keytab_open(krb5_context context,
-				       krb5_keytab *keytab)
-{
-	char keytab_str[MAX_KEYTAB_NAME_LEN] = {0};
-	const char *keytab_name = NULL;
-	krb5_error_code ret = 0;
-
-	switch (lp_kerberos_method()) {
-	case KERBEROS_VERIFY_SYSTEM_KEYTAB:
-	case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
-		ret = krb5_kt_default_name(context,
-					   keytab_str,
-					   sizeof(keytab_str) - 2);
-		if (ret != 0) {
-			DBG_WARNING("Failed to get default keytab name\n");
-			goto out;
-		}
-		keytab_name = keytab_str;
-		break;
-	case KERBEROS_VERIFY_DEDICATED_KEYTAB:
-		keytab_name = lp_dedicated_keytab_file();
-		break;
-	default:
-		DBG_ERR("Invalid kerberos method set (%d)\n",
-			lp_kerberos_method());
-		ret = KRB5_KT_BADNAME;
-		goto out;
-	}
-
-	if (keytab_name == NULL || keytab_name[0] == '\0') {
-		DBG_ERR("Invalid keytab name\n");
-		ret = KRB5_KT_BADNAME;
-		goto out;
-	}
-
-	ret = smb_krb5_kt_open(context, keytab_name, true, keytab);
-	if (ret != 0) {
-		DBG_WARNING("smb_krb5_kt_open failed (%s)\n",
-			    error_message(ret));
-		goto out;
-	}
-
-out:
-	return ret;
-}
 #endif /* HAVE_ADS */
 
 /**********************************************************************
@@ -1211,6 +1165,7 @@ int ads_keytab_list(const char *keytab_name)
 	krb5_keytab keytab = NULL;
 	krb5_kt_cursor cursor;
 	krb5_keytab_entry kt_entry;
+	char default_keytab[MAX_KEYTAB_NAME_LEN] = {0};
 
 	ZERO_STRUCT(kt_entry);
 	ZERO_STRUCT(cursor);
@@ -1223,14 +1178,22 @@ int ads_keytab_list(const char *keytab_name)
 	}
 
 	if (keytab_name == NULL) {
-#ifdef HAVE_ADS
-		ret = ads_keytab_open(context, &keytab);
-#else
-		ret = ENOENT;
-#endif
-	} else {
-		ret = smb_krb5_kt_open(context, keytab_name, False, &keytab);
+		/*
+		 * If you don't specify a keytab, assume we want the default
+		 * keytab.
+		 */
+		ret = krb5_kt_default_name(context,
+					   default_keytab,
+					   sizeof(default_keytab) - 2);
+		if (ret != 0) {
+			DBG_WARNING("Failed to get default keytab name\n");
+			goto out;
+		}
+
+		keytab_name = default_keytab;
 	}
+
+	ret = smb_krb5_kt_open(context, keytab_name, false, &keytab);
 	if (ret) {
 		DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
 			  error_message(ret)));
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index d52073685f5..3ef2b41e5a3 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2944,7 +2944,7 @@ static int net_ads_keytab_list(struct net_context *c, int argc, const char **arg
 		d_printf("%s\n%s",
 			 _("Usage:"),
 			 _("net ads keytab list [keytab]\n"
-			   "  List a local keytab\n"
+			   "  List a local keytab (default: krb5 default)\n"
 			   "    keytab\tKeytab to list\n"));
 		return -1;
 	}
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
index b14dc2b1633..dd5b013924a 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -92,7 +92,6 @@ if [ ! -f $dedicated_keytab_file ]; then
 fi
 
 if [ -f $dedicated_keytab_file ]; then
-	testit "keytab list (dedicated keytab)" $VALGRIND $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1)
 	testit "keytab list keytab specified on cmdline" $VALGRIND $net_tool ads keytab list $dedicated_keytab_file || failed=$(expr $failed + 1)
 fi
 
@@ -161,8 +160,14 @@ dedicated_keytab_file="$BASEDIR/$WORKDIR/test_dns_aliases_dedicated_krb5.keytab"
 
 testit "dns alias create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1)
 
-testit_grep "dns alias1 check keytab" "HOST/${dns_alias1}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1)
-testit_grep "dns alias2 check keytab" "HOST/${dns_alias2}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=$(expr $failed + 1)
+testit_grep "dns alias1 check keytab" \
+	"HOST/${dns_alias1}@$REALM" \
+	$net_tool ads keytab list "${dedicated_keytab_file}" || \
+	failed=$(expr $failed + 1)
+testit_grep "dns alias2 check keytab" \
+	"HOST/${dns_alias2}@$REALM" \
+	$net_tool ads keytab list "${dedicated_keytab_file}" || \
+	failed=$(expr $failed + 1)
 
 rm -f $dedicated_keytab_file