From: Andreas Schneider Date: Thu, 10 Apr 2025 14:07:46 +0000 (+0200) Subject: s3:net: Remove `net ads keytab flush` X-Git-Tag: tevent-0.17.0~352 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=684ca0b028b2f6d4ba2c616cda62e52a075f869f;p=thirdparty%2Fsamba.git s3:net: Remove `net ads keytab flush` This removes all entries from a keytab *and* removes all SPNs from the AD machine account. We should not do that and if you want to get rid of the keytab you can use `rm`. Signed-off-by: Andreas Schneider Reviewed-by: Pavel Filipenský --- diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h index 8440c35e46d..e5b68530866 100644 --- a/source3/libads/ads_proto.h +++ b/source3/libads/ads_proto.h @@ -62,7 +62,6 @@ void ads_disp_sd(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct security_descripto /* The following definitions come from libads/kerberos_keytab.c */ -int ads_keytab_flush(ADS_STRUCT *ads); int ads_keytab_list(const char *keytab_name); /* The following definitions come from libads/net_ads_setspn.c */ diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c index 49a892e5a55..8d6b990b651 100644 --- a/source3/libads/kerberos_keytab.c +++ b/source3/libads/kerberos_keytab.c @@ -1198,62 +1198,6 @@ static krb5_error_code ads_keytab_open(krb5_context context, out: return ret; } - -/********************************************************************** - Flushes all entries from the system keytab. -***********************************************************************/ - -int ads_keytab_flush(ADS_STRUCT *ads) -{ - krb5_error_code ret = 0; - krb5_context context = NULL; - krb5_keytab keytab = NULL; - ADS_STATUS aderr; - - ret = smb_krb5_init_context_common(&context); - if (ret) { - DBG_ERR("kerberos init context failed (%s)\n", - error_message(ret)); - return ret; - } - - ret = ads_keytab_open(context, &keytab); - if (ret != 0) { - goto out; - } - - /* Seek and delete all old keytab entries */ - ret = smb_krb5_kt_seek_and_delete_old_entries(context, - keytab, - false, /* keep_old_kvno */ - -1, - false, /* enctype_only */ - ENCTYPE_NULL, - NULL, - NULL, - true); /* flush */ - if (ret) { - goto out; - } - - aderr = ads_clear_service_principal_names(ads, lp_netbios_name()); - if (!ADS_ERR_OK(aderr)) { - DEBUG(1, (__location__ ": Error while clearing service " - "principal listings in LDAP.\n")); - ret = -1; - goto out; - } - -out: - if (keytab) { - krb5_kt_close(context, keytab); - } - if (context) { - krb5_free_context(context); - } - return ret; -} - #endif /* HAVE_ADS */ /********************************************************************** diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 0128f3eb7e8..d52073685f5 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -2911,40 +2911,6 @@ out: return ret; } -static int net_ads_keytab_flush(struct net_context *c, - int argc, - const char **argv) -{ - TALLOC_CTX *tmp_ctx = talloc_stackframe(); - ADS_STRUCT *ads = NULL; - ADS_STATUS status; - int ret = -1; - - if (c->display_usage) { - d_printf( "%s\n" - "net ads keytab flush\n" - " %s\n", - _("Usage:"), - _("Delete the whole keytab")); - TALLOC_FREE(tmp_ctx); - return -1; - } - - if (!c->explicit_credentials) { - net_use_krb_machine_account(c); - } - - status = ads_startup(c, true, tmp_ctx, &ads); - if (!ADS_ERR_OK(status)) { - goto out; - } - - ret = ads_keytab_flush(ads); -out: - TALLOC_FREE(tmp_ctx); - return ret; -} - static int net_ads_keytab_create(struct net_context *c, int argc, const char **argv) { NTSTATUS ntstatus; @@ -3001,14 +2967,6 @@ int net_ads_keytab(struct net_context *c, int argc, const char **argv) N_("net ads keytab create\n" " Create (sync) a fresh keytab or update existing one (see also smb.conf 'sync machine password to keytab'.") }, - { - "flush", - net_ads_keytab_flush, - NET_TRANSPORT_ADS, - N_("Remove all keytab entries"), - N_("net ads keytab flush\n" - " Remove all keytab entries") - }, { "list", net_ads_keytab_list,