From: Andrew Bartlett Date: Tue, 19 Dec 2023 22:53:06 +0000 (+1300) Subject: s4-libnet: Provide hint for "samba-tool domain exportkeytab" if used over LDAP withou... X-Git-Tag: tdb-1.4.11~1466 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f34b910b5bc7bd4097848d75af247279ee4e9781;p=thirdparty%2Fsamba.git s4-libnet: Provide hint for "samba-tool domain exportkeytab" if used over LDAP without gMSA Only gMSA accounts, and only for authoriszed users, can export be exported without local sam.ldb access. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton --- diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c index c0b91476580..e58cda79c81 100644 --- a/source4/libnet/libnet_export_keytab.c +++ b/source4/libnet/libnet_export_keytab.c @@ -44,6 +44,7 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx, char *entry_principal = NULL; bool copy_one_principal = (principal != NULL); krb5_data password; + bool keys_exported = false; code = smb_krb5_kt_open_relative(context, keytab_name, @@ -144,6 +145,7 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx, code, *error_string)); goto done; } + keys_exported = true; } if (copy_one_principal) { @@ -162,7 +164,18 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx, goto done; } - status = NT_STATUS_OK; + if (keys_exported == false) { + *error_string = talloc_asprintf(mem_ctx, + "No keys found while exporting %s. " + "Consider connecting to a local sam.ldb, " + "only gMSA accounts can be exported over " + "LDAP and connecting user needs to be authorized", + principal ? principal : "all users in domain"); + status = NT_STATUS_NO_USER_KEYS; + } else { + status = NT_STATUS_OK; + } + done: SAFE_FREE(entry_principal); sdb_entry_free(&sentry);