From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 20 Feb 2024 07:12:37 +0000 (+1300)
Subject: librpc/idl: Add a parser for a FILE: format keytab
X-Git-Tag: tdb-1.4.11~1687
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ecaaff57e45bf70754026c54cfba02cd9ca98df1;p=thirdparty%2Fsamba.git

librpc/idl: Add a parser for a FILE: format keytab

This will let us examine keytab entries exported for gMSA accounts and
ensure they are the values we expect.  This will in particular help
test our KDC via the "samba-tool domain exportkeytab" as this is a thin
wrapper around the relevant code.

Additionally, we can use this to test the new client-side keytab generation
in "samba-tool domain exportkeytab" for gMSA accounts.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
---

diff --git a/librpc/idl/krb5ccache.idl b/librpc/idl/krb5ccache.idl
index 1f0cfa752a9..ee496f015f4 100644
--- a/librpc/idl/krb5ccache.idl
+++ b/librpc/idl/krb5ccache.idl
@@ -1,6 +1,9 @@
 /*
   krb5 credentials cache (version 3 or 4)
   specification: https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html
+
+  krb5 keytab (version 2)
+  specification: https://web.mit.edu/kerberos/krb5-devel/doc/formats/keytab_file_format.html
 */
 
 #include "idl_types.h"
@@ -112,4 +115,41 @@ interface krb5ccache
 		CREDENTIAL cred;
 		[flag(NDR_REMAINING)] DATA_BLOB further_creds;
 	} MULTIPLE_CREDENTIALS;
+
+	typedef struct {
+		uint16 length;
+		uint8 data[length];
+	} KEYTAB_KEYBLOCK;
+
+	typedef struct {
+		uint16 component_count;
+		[flag(STR_SIZE2|STR_NOTERM|STR_UTF8)] string realm;
+		[flag(STR_SIZE2|STR_NOTERM|STR_UTF8)] string components[component_count];
+		uint32 name_type;
+	} KEYTAB_PRINCIPAL;
+
+	typedef struct {
+		KEYTAB_PRINCIPAL principal;
+		uint32 timestamp;
+		uint8 key_version;
+		uint16 enctype;
+		KEYTAB_KEYBLOCK key;
+		uint32 full_key_version; /* We assume modern Heimdal or MIT 1.14 or later */
+	} KEYTAB_ENTRY;
+
+	/*
+	 * This parser assumes a fresh keytab without negative lengths
+	 * to indicate holes generated by MIT krb5 1.14
+	 */
+	typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct {
+		[value(5)] uint8 pvno;
+		[value(2)] uint8 version;
+		[subcontext(4)] KEYTAB_ENTRY entry;
+		[flag(NDR_REMAINING)] DATA_BLOB further_entry;
+	} KEYTAB;
+
+	typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct {
+		[subcontext(4)] KEYTAB_ENTRY entry;
+		[flag(NDR_REMAINING)] DATA_BLOB further_entry;
+	} MULTIPLE_KEYTAB_ENTRIES;
 }