s3:libads: 'net ads keytab create' shouldn't write SPN(s)

Modify default behaviour of 'net ads keytab create' The change modifies the behaviour of 'net ads keytab create' such that only the keytab file is modified. The current behaviour doesn't make sense, existing SPN(s) pulled from the computer AD object have the format 'serviceclass/host:port/servicename'. 'ads_keytab_create_default' calls ads_keytab_add_entry passing 'serviceclass' for each SPN retrieved from the AD. For each serviceclass passed in a new pair of SPN(s) is generated as follows i) long form 'param/full_qualified_dns' ii) short form 'param/netbios_name' This doesn't make sense as we are creating a new SPN(s) from an existing one probably replacing the existing host with the 'client' machine. If the keytab file exists then additionally each kerberos principal in the keytab file is parsed to strip out the primary, then 'ads_keytab_add_entry' is called which then tries by default to generate a SPN from any primary that doesn't end in '$'. By default those SPNs are then added to the AD computer account for the client running the command. Signed-off-by: Noel Power <[email protected]> Reviewed-by: Jeremy Allison <[email protected]> Reviewed-by: Andreas Schneider <[email protected]>
17500mph · Mar 2, 2018 · 0af6645 · 0af6645
1 parent 284f550
commit 0af6645
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
@@ -545,7 +545,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 		p[0] = '\0';
 
 		/* Add the SPNs found on the DC */
-		ret = ads_keytab_add_entry(ads, srv_princ, true);
+		ret = ads_keytab_add_entry(ads, srv_princ, false);
 		if (ret != 0) {
 			DEBUG(1, ("ads_keytab_add_entry failed while "
 				  "adding '%s' principal.\n",
@@ -558,7 +558,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 	   really needs them and we will fall back to verifying against
 	   secrets.tdb */
 
-	ret = ads_keytab_add_entry(ads, "cifs", true));
+	ret = ads_keytab_add_entry(ads, "cifs", false));
 	if (ret != 0 ) {
 		DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
 			  "adding 'cifs'.\n"));
@@ -607,7 +607,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 		goto done;
 	}
 
-	ret = ads_keytab_add_entry(ads, sam_account_name, true);
+	ret = ads_keytab_add_entry(ads, sam_account_name, false);
 	if (ret != 0) {
 		DEBUG(1, (__location__ ": ads_keytab_add_entry() failed "
 			  "while adding sAMAccountName (%s)\n",
@@ -618,7 +618,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 	/* remember that not every machine account will have a upn */
 	upn = ads_get_upn(ads, frame, machine_name);
 	if (upn) {
-		ret = ads_keytab_add_entry(ads, upn, true);
+		ret = ads_keytab_add_entry(ads, upn, false);
 		if (ret != 0) {
 			DEBUG(1, (__location__ ": ads_keytab_add_entry() "
 				  "failed while adding UPN (%s)\n", upn));
@@ -732,7 +732,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
 
 	ret = 0;
 	for (i = 0; oldEntries[i]; i++) {
-		ret |= ads_keytab_add_entry(ads, oldEntries[i], true);
+		ret |= ads_keytab_add_entry(ads, oldEntries[i], false);
 		TALLOC_FREE(oldEntries[i]);
 	}
 

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
@@ -2717,7 +2717,7 @@ int net_ads_keytab(struct net_context *c, int argc, const char **argv)
 			NET_TRANSPORT_ADS,
 			N_("Create a fresh keytab"),
 			N_("net ads keytab create\n"
-			   "    Create a fresh keytab")
+			   "    Create a fresh keytab or update exising one.")
 		},
 		{
 			"flush",