From: Pavel Filipenský <pfilipensky@samba.org>
Date: Sun, 17 Dec 2023 15:15:00 +0000 (+0100)
Subject: s3:testparm: Add check for "sync machine password to keytab" to testparm
X-Git-Tag: tdb-1.4.11~36
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=27ca58f9bf14fcdc834869fad5631fca9e1c4652;p=thirdparty%2Fsamba.git

s3:testparm: Add check for "sync machine password to keytab" to testparm

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index 34bce413f82..e3ed336a79a 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -270,6 +270,82 @@ done:
 	return ok;
 }
 
+static int pw2kt_check_line(const char *line)
+{
+	char *keytabname = NULL;
+	char *spn_spec = NULL;
+	char *spn_val = NULL;
+	char *option = NULL;
+	bool machine_password = false;
+
+	keytabname = talloc_strdup(talloc_tos(), line);
+	if (keytabname == NULL) {
+		return 1;
+	}
+
+	spn_spec = strchr_m(keytabname, ':');
+	if (spn_spec == NULL) {
+		fprintf(stderr, "ERROR: ':' is expected in line:\n%s\n\n", line);
+		return 1;
+	}
+	*spn_spec++ = 0;
+
+	/* reverse match with strrchr_m() */
+	while ((option = strrchr_m(spn_spec, ':')) != NULL) {
+		*option++ = 0;
+		if (!strequal(option, "sync_kvno") &&
+		    !strequal(option, "sync_etypes") &&
+		    !strequal(option, "additional_dns_hostnames") &&
+		    !strequal(option, "netbios_aliases") &&
+		    !strequal(option, "machine_password"))
+		{
+			fprintf(stderr,
+				"ERROR: unknown option '%s' in line:\n%s\n\n",
+				option,
+				line);
+			return 1;
+		}
+		if (strequal(option, "machine_password")) {
+			machine_password = true;
+		}
+	}
+	if (!machine_password) {
+		fprintf(stderr,
+			"WARNING: option 'machine_password' is missing in "
+			"line:\n%s\n\n",
+			line);
+	}
+
+	spn_val = strchr_m(spn_spec, '=');
+	if (spn_val != NULL) {
+		*spn_val++ = 0;
+		if (!strequal(spn_spec, "spns") &&
+		    !strequal(spn_spec, "spn_prefixes"))
+		{
+			fprintf(stderr,
+				"ERROR: only SPN specifier 'spns' and "
+				"'spn_prefixes' can contain '=' and comma "
+				"separated list of values in line:\n%s\n\n",
+				line);
+			return 1;
+		}
+	}
+
+	if (!strequal(spn_spec, "account_name") &&
+	    !strequal(spn_spec, "sync_spns") &&
+	    !strequal(spn_spec, "spns") &&
+	    !strequal(spn_spec, "spn_prefixes"))
+	{
+		fprintf(stderr,
+			"ERROR: unknown SPN specifier '%s' in line:\n%s\n\n",
+			spn_spec,
+			line);
+		return 1;
+	}
+
+	return 0;
+}
+
 /***********************************************
  Here we do a set of 'hard coded' checks for bad
  configuration settings.
@@ -280,6 +356,7 @@ static int do_global_checks(void)
 	int ret = 0;
 	SMB_STRUCT_STAT st;
 	const char *socket_options;
+	const char **lp_ptr = NULL;
 	const struct loadparm_substitution *lp_sub =
 		loadparm_s3_global_substitution();
 
@@ -717,6 +794,21 @@ static int do_global_checks(void)
 			"CVE-2022-37966\n\n");
 	}
 
+	lp_ptr = lp_sync_machine_password_to_keytab();
+
+	if (lp_ptr == NULL && USE_KERBEROS_KEYTAB) {
+		fprintf(stderr,
+			"SUGGESTION: You may want to use "
+			"'sync machine password to keytab' parameter "
+			"instead of 'kerberos method'.\n\n");
+	}
+
+	if (lp_ptr != NULL) {
+		while (*lp_ptr) {
+			ret |= pw2kt_check_line(*lp_ptr++);
+		}
+	}
+
 	return ret;
 }