From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 6 Mar 2024 04:48:09 +0000 (+1300)
Subject: s4-libnet: Prepare for a "rolling update" keytab export
X-Git-Tag: tdb-1.4.11~1445
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a0867595fbdb0e59b3c649f80f36e99ca74af41e;p=thirdparty%2Fsamba.git

s4-libnet: Prepare for a "rolling update" keytab export

This mode will allow keytabs to be exported with all current keys added
to historical keys, which will be useful in a domain with many gMSA
servers that require wireshark decryption.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
---

diff --git a/selftest/knownfail.d/export-keytab b/selftest/knownfail.d/export-keytab
index 97d1f617f8a..9fa9aad7f49 100644
--- a/selftest/knownfail.d/export-keytab
+++ b/selftest/knownfail.d/export-keytab
@@ -1,4 +1,3 @@
 ^samba.tests.dckeytab.samba.tests.dckeytab.DCKeytabTests.test_export_keytab_existing
 ^samba.tests.dckeytab.samba.tests.dckeytab.DCKeytabTests.test_export_keytab_not_a_dir
 ^samba.tests.dckeytab.samba.tests.dckeytab.DCKeytabTests.test_export_keytab_change3_update_keep
-^samba.tests.dckeytab.samba.tests.dckeytab.DCKeytabTests.test_export_keytab_all_keep_stale
diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c
index 2d3b0ba7c3a..a049751fb4f 100644
--- a/source4/libnet/libnet_export_keytab.c
+++ b/source4/libnet/libnet_export_keytab.c
@@ -173,11 +173,32 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
 			for (i = 0; i < sentry.keys.len; i++) {
 				struct sdb_key *s = &(sentry.keys.val[i]);
 				krb5_keyblock *keyp;
+				bool found;
 
 				keyp = KRB5_KT_KEY(&kt_entry);
 
 				*keyp = s->key;
 
+				code = smb_krb5_is_exact_entry_in_keytab(mem_ctx,
+									 context,
+									 keytab,
+									 &kt_entry,
+									 &found,
+									 error_string);
+				if (code != 0) {
+					status = NT_STATUS_UNSUCCESSFUL;
+					*error_string = smb_get_krb5_error_message(context,
+										   code,
+										   mem_ctx);
+					DEBUG(0, ("smb_krb5_is_exact_entry_in_keytab failed code=%d, error = %s\n",
+						  code, *error_string));
+					goto done;
+				}
+
+				if (found) {
+					continue;
+				}
+
 				code = krb5_kt_add_entry(context, keytab, &kt_entry);
 				if (code != 0) {
 					status = NT_STATUS_UNSUCCESSFUL;
@@ -210,13 +231,22 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
 	}
 
 	if (keys_exported == false) {
-		*error_string = talloc_asprintf(mem_ctx,
-						"No keys found while exporting %s.  "
-						"Consider connecting to a local sam.ldb, "
-						"only gMSA accounts can be exported over "
-						"LDAP and connecting user needs to be authorized",
-						principal ? principal : "all users in domain");
-		status = NT_STATUS_NO_USER_KEYS;
+		if (keep_stale_entries == false) {
+			*error_string = talloc_asprintf(mem_ctx,
+							"No keys found while exporting %s.  "
+							"Consider connecting to a local sam.ldb, "
+							"only gMSA accounts can be exported over "
+							"LDAP and connecting user needs to be authorized",
+							principal ? principal : "all users in domain");
+			status = NT_STATUS_NO_USER_KEYS;
+		} else {
+			DBG_NOTICE("No new keys found while exporting %s.  "
+				   "If new keys were expected, consider connecting "
+				   "to a local sam.ldb, only gMSA accounts can be exported over "
+				   "LDAP and connecting user needs to be authorized\n",
+				   principal ? principal : "all users in domain");
+			status = NT_STATUS_OK;
+		}
 	} else {
 		status = NT_STATUS_OK;
 	}