From: Andrew Bartlett Date: Thu, 7 Mar 2024 01:53:53 +0000 (+1300) Subject: samba-tool domain exportkeytab: Refuse to overwrite an existing file in full-db export X-Git-Tag: tdb-1.4.11~1444 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9d7a97dc9820e9f69a25a7321d84eb18cd3c6c08;p=thirdparty%2Fsamba.git samba-tool domain exportkeytab: Refuse to overwrite an existing file in full-db export Since 87f67d336919172845f53067c67d1eab8e7ef18a samba-tool domain exportkeytab has silently unlinked the given target file. Instead, the administrator now needs to specify a file that does not exist. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton --- diff --git a/selftest/knownfail.d/export-keytab b/selftest/knownfail.d/export-keytab index 9fa9aad7f49..34c16072f5a 100644 --- a/selftest/knownfail.d/export-keytab +++ b/selftest/knownfail.d/export-keytab @@ -1,3 +1 @@ -^samba.tests.dckeytab.samba.tests.dckeytab.DCKeytabTests.test_export_keytab_existing -^samba.tests.dckeytab.samba.tests.dckeytab.DCKeytabTests.test_export_keytab_not_a_dir ^samba.tests.dckeytab.samba.tests.dckeytab.DCKeytabTests.test_export_keytab_change3_update_keep diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c index a049751fb4f..76299eb2c38 100644 --- a/source4/libnet/libnet_export_keytab.c +++ b/source4/libnet/libnet_export_keytab.c @@ -294,7 +294,26 @@ NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, s } else { DEBUG(0, ("Export complete keytab to %s\n", r->in.keytab_name)); if (!keep_stale_entries) { - unlink(r->in.keytab_name); + struct stat st; + int stat_ret = stat(r->in.keytab_name, &st); + if (stat_ret == -1 && errno == ENOENT) { + /* continue */ + } else if (stat_ret == -1) { + int errno_save = errno; + r->out.error_string + = talloc_asprintf(mem_ctx, + "Failure checking if keytab export location %s is an existing file: %s", + r->in.keytab_name, + strerror(errno_save)); + return map_nt_error_from_unix_common(errno_save); + } else { + r->out.error_string + = talloc_asprintf(mem_ctx, + "Refusing to export keytab to existing file %s", + r->in.keytab_name); + return NT_STATUS_OBJECT_NAME_EXISTS; + } + /* * No point looking for old * keys in a empty file diff --git a/testprogs/blackbox/test_kinit_export_keytab.sh b/testprogs/blackbox/test_kinit_export_keytab.sh index e520a1c0a2d..204a756c7a1 100755 --- a/testprogs/blackbox/test_kinit_export_keytab.sh +++ b/testprogs/blackbox/test_kinit_export_keytab.sh @@ -131,6 +131,7 @@ test_keytab "read keytab from domain" \ testit "dump keytab from domain (2nd time)" \ "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \ + --keep-stale-entries \ "${PREFIX}/tmpkeytab-all" "${CONFIGURATION}" "$@" || \ failed=$((failed + 1))