From cb50befaa2107882fb465f7770038246e31d82d4 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Pavel=20Filipensk=C3=BD?= Date: Fri, 14 Feb 2025 17:28:54 +0100 Subject: [PATCH] s3:libads: Remove specifier for 'host' principal from 'sync machine password to keytab' MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Use specifier 'spn_prefixes=host' instead of 'host' BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759 Signed-off-by: Pavel Filipenský Reviewed-by: Stefan Metzmacher (cherry picked from commit ccc3b2b2fba7b5d223c79bffc0f655490aed19cf) --- selftest/target/Samba3.pm | 6 +-- source3/libads/kerberos_keytab.c | 21 +++------- source3/script/tests/test_update_keytab.sh | 48 ---------------------- 3 files changed, 9 insertions(+), 66 deletions(-) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index a6c2917d410..8906608bc1f 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -804,11 +804,11 @@ sub provision_ad_member \"$prefix_abs/keytab0k:account_name:sync_kvno:machine_password:sync_etypes\", \\ \"$prefix_abs/keytab1:sync_spns:machine_password:sync_etypes\", \\ \"$prefix_abs/keytab1k:sync_spns:sync_kvno:machine_password:sync_etypes\", \\ - \"$prefix_abs/keytab2:spn_prefixes=imap,smtp:additional_dns_hostnames:netbios_aliases:machine_password:sync_etypes\", \\ - \"$prefix_abs/keytab2k:spn_prefixes=imap,smtp:additional_dns_hostnames:sync_kvno:machine_password:sync_etypes\", \\ + \"$prefix_abs/keytab2:spn_prefixes=host,imap,smtp:additional_dns_hostnames:netbios_aliases:machine_password:sync_etypes\", \\ + \"$prefix_abs/keytab2k:spn_prefixes=host,imap,smtp:additional_dns_hostnames:sync_kvno:machine_password:sync_etypes\", \\ \"$prefix_abs/keytab3:spns=wurst/brot\@$dcvars->{REALM}:machine_password:sync_etypes\", \\ \"$prefix_abs/keytab3k:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\", \\ - \"$prefix_abs/keytab4k:account_name:sync_account_name:spn_prefixes=imap,smtp:additional_dns_hostnames:netbios_aliases:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\" + \"$prefix_abs/keytab4k:account_name:sync_account_name:spn_prefixes=host,imap,smtp:additional_dns_hostnames:netbios_aliases:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\" "; } diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c index 619a7bda0d4..5913db299ad 100644 --- a/source3/libads/kerberos_keytab.c +++ b/source3/libads/kerberos_keytab.c @@ -44,7 +44,6 @@ enum spn_spec_type { SPN_SPEC_ACCOUNT_NAME, SPN_SPEC_SYNC_ACCOUNT_NAME, - SPN_SPEC_HOST, SPN_SPEC_SYNC_UPN, SPN_SPEC_SYNC_SPNS, SPN_SPEC_FULL, @@ -164,8 +163,6 @@ static ADS_STATUS pw2kt_scan_spec(TALLOC_CTX *ctx, } else if (strequal(option, "sync_account_name")) { spec_type = SPN_SPEC_SYNC_ACCOUNT_NAME; gstate->sync_sam_account = true; - } else if (strequal(option, "host")) { - spec_type = SPN_SPEC_HOST; } else if (strequal(option, "sync_upn")) { spec_type = SPN_SPEC_SYNC_UPN; gstate->sync_upn = true; @@ -251,9 +248,6 @@ static ADS_STATUS pw2kt_scan_line(const char *line, *olist = 0; olist++; - /* Always add 'host' principal */ - desc->spec_array[SPN_SPEC_HOST].is_set = true; - /* Entries are separated via ':' */ while ((tmp = strchr_m(olist, ':')) != NULL) { *tmp = 0; @@ -275,7 +269,8 @@ static ADS_STATUS pw2kt_scan_line(const char *line, /* * Fill struct pw2kt_global_state with defaults if * "sync machine password to keytab" is missing in smb.conf - * Creates 1 keytab with 3 SPN specifiers (sync_spns, account_name, host). + * Creates 1 keytab with these SPN specifiers: + * sync_spns:account_name:spn_prefixes=host:sync_kvno:machine_password */ static ADS_STATUS pw2kt_default_cfg(const char *name, struct pw2kt_global_state *state) @@ -302,9 +297,11 @@ static ADS_STATUS pw2kt_default_cfg(const char *name, desc->spec_array[SPN_SPEC_SYNC_SPNS].is_set = true; desc->spec_array[SPN_SPEC_ACCOUNT_NAME].is_set = true; - desc->spec_array[SPN_SPEC_HOST].is_set = true; + desc->spec_array[SPN_SPEC_PREFIX].is_set = true; - return ADS_SUCCESS; + return pw2kt_add_val(state->keytabs, + &desc->spec_array[SPN_SPEC_PREFIX], + "host"); } /* @@ -590,12 +587,6 @@ static ADS_STATUS pw2kt_process_specifier(struct pw2kt_global_state *gstate, case SPN_SPEC_SYNC_ACCOUNT_NAME: ADD_INFO(gstate->ad_sam_account); break; - case SPN_SPEC_HOST: - status = pw2kt_add_prefix(gstate, state2, keytabptr, "host"); - if (!ADS_ERR_OK(status)) { - return status; - } - break; case SPN_SPEC_SYNC_UPN: if (gstate->ad_upn != NULL) { ADD_INFO(gstate->ad_upn); diff --git a/source3/script/tests/test_update_keytab.sh b/source3/script/tests/test_update_keytab.sh index 0b7dcf0d7d5..964e71036fd 100755 --- a/source3/script/tests/test_update_keytab.sh +++ b/source3/script/tests/test_update_keytab.sh @@ -40,48 +40,18 @@ keytab0="\ -2 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM -3 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM -3 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM - -1 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -2 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -3 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -1 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -2 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -3 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -1 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -2 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -1 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM "; keytab0k="\ 4 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM 5 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM 6 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM - 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM "; keytab1="\ - -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM -1 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM -2 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM -3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM -1 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM -2 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM -3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM @@ -118,15 +88,9 @@ keytab1="\ "; keytab1k="\ - 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM 4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM 5 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM 6 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM 4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM 5 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM 6 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM @@ -295,24 +259,12 @@ keytab2k="\ "; keytab3="\ - -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM -1 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM -2 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM -3 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM "; keytab3k="\ - 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM 4 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM 5 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM 6 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM -- 2.47.2